[WovenTales]

If that were all that could do it, sure. That's not the end of it, though. I was trying out anonymization methods a while back, and created an account for use through Tor + a VPN (yes, I know it's Google). I recently tried to get back into it, but since I wasn't "where I usually sign in" (and can't actually say what city they thought that was), I'm locked out. I have the correct password in my manager, and I can even answer that "when did you create this account" question because of that, but Google still won't give me any way in. Since there's nothing important in there, I'm fine leaving that particular address behind rather than escalating things, especially after reading the article, but there's a few really dangerous implications there if you do want to habitually decouple your IP from your physical location.

[jandrese]

Usually if you can SMS verify they will let you in. Google (and many other companies) insist on SMS not because it is secure (it's not) but because it requires account spammers (scammers) to put up some money (buy a phone) before they let you use the service too much. I would be surprised if you get through the registration process before they insist on SMS verification if you are coming out of a VPN provider netblock. And forget coming out of a TOR exit node.

Keeping your identity hidden from Google while using their services is a fools errand. Find some other email provider with less big data mining expertise.

[mehrdadn]

I'm confused, so you are answering every single security question correctly and you age logging in from your usual location without any kind of Tor/VPN/etc. and you still have no way to access that account? Or are you merely prevented from logging in via Tor/VPN?

[kuschku]

That is correct, I had the same issue.

My account was previously always used in Germany, and then fell into disuse once I migrated to another Google account (to change the primary email address).

Someone tried several passwords for the account from Russia, Google warned me by sending a warning to the backup email, and let the attacker in anyway.

Being in Germany, the reset flow asked me to either

(a) provide the phone number used, prove I control the backup email, and provide the exact account creation date (I was off by a few months, and it failed to allow me in),

(b) prove ownership of the backup SMS, backup email, and answer all security questions correctly (which I couldn't, because the phone number had long been reassigned).

I, desperately, called Google Nexus support (not possible to solve), and even asked people on the inside, who got the account team on it (more on that later). No can do.

In the end, I got the new owner of the phone number (ALDI Talk reassigns phone numbers after 6 months disuse) to help me by him sending me the SMS verification code, which I'd enter, to verify identity, and get the account back.

After I managed to log into the account, I obviously enabled 2FA, secured it, etc, but I also found a new message in the inbox, from Google's account recovery team, the usual 'thank you for contacting us, etc' one. They had contacted 'me', after I complained that the account was hijacked, by writing an email to the account, and talking with the attacker. Who obviously said there's no problem.

[mehrdadn]

>> I'm confused, so you are answering every single security question correctly and you age logging in from your usual location without any kind of Tor/VPN/etc. and you still have no way to access that account?

> That is correct, I had the same issue.

> the reset flow asked me to either (a) provide the phone number used [...] or (b) prove ownership of the backup SMS [...]

> (which I couldn't, because the phone number had long been reassigned)

But this means what I said earlier is not correct, since you are not answering all of their security questions correctly.

[kuschku]

I managed to successfully complete the (a) flow, but it was considered not enough, due to the different IP, and minor inaccuracy with the creation date.

I later managed to successfully complete the (b) flow due to the SMS.

I believe Google isn't using a binary definition of success, but a confidence interval of how sure they are you are the actual owner - if they are reasonably sure you are the owner, less questions need to be solved, if they are reasonable sure you are not, they cancel the flow before you even have a chance, and if they're unsure, they ask you more questions.

On my first attempt, I got over a dozen questions to validate myself, later on, I got told "sorry, we don't believe you" after already one question.

[mehrdadn]

> I managed to successfully complete the (a) flow, but it was considered not enough, due to the different IP, and minor inaccuracy with the creation date.

That's exactly what I mean though. You didn't answer their questions correctly. It wasn't just due to your location/IP; you put in the wrong date. (It's quite funny/ironic that you are also answering my questions incorrectly and yet insisting otherwise. While I sympathize with you for the actual problem, it doesn't help anyone sympathize when they see facts being twisted!)

[kuschku]

> you put in the wrong date

There is no "wrong" or "right" date for Google. Google's support says to input whatever date you remember, Google will judge it as neither "true" or "false", but based on how close you are, and (this part is now speculation) combine that with other factors.

[codeisawesome]

This is very surprising - what of people who like to travel??

[jopsen]

2FA if you care about you accounts.

You should probably do U2F with yubikeys, if you care.

[jopsen]

If you are smart enough to use TOR shouldn't you also be using 2FA?

Ideally, U2F...

[detaro]

Do you have any evidence that Google treats 2FA differently in this scenario?

[jopsen]

If I travel many accounts often ask for 2FA...