[koffiezet]

> You need to have a 2FA authenticated connection or be on a 2FA authenticated device within validity period to change 2FA settings. You can elect to have 2FA not remember the device you have logged into as well (ie, the remember this device for 30 days option) if you are particularly paranoid.

To change security-related settings, it's default practice to double-check even the user's password without 2fa.

> This is a fantastic balance in terms of security and usability.

Sorry, that's plain apologetic bullshit. How often do you enable and disable 2fa? This has nothing to do with usability.

[anon102010]

This is not "apologetic BS"

Your comment illustrates a DEEP misunderstanding of dealing with users at scale.

You have millions and millions of users.

You are proposing that the threat / benefit model is such that if they lose their 2FA device (very easy via upgrades to phones, lost phones broken phones) EVEN though they have their password and and have access to a trusted device within the validity window for device trust they will be locked out, potentially forever from their account?

Do you

a) realize how common this situation is?

b) realize how angry users will be to lose access to all their google services with basically no support route to recover that?

c) what pressure there will be to allow for other recovery methods THAT ARE EVEN WEAKER?

I've gone through 2FA reset procedures over the phone with a few companies, and in EACH case it struck me how easy it would be to socially engineer or use very minimal info to get a new 2FA when they allow these methods (ie, last 4 digits of CC was one reset piece of info). So you need to allow workable 2FA update methods so that your fallback can be pretty tight if allowed at all.

Finally, consumer accounts have basically NO recovery option if you are locked out. I had a relative get locked out, nothing to be done (they had a landline that couldn't accept text messages and the system won't do voice calls). There is NO human backup - all emails, google photos, google drive etc GONE.

[el_nino]

> This is not "apologetic BS"

You started by claiming it's "100% false" and ended up saying changing your mind and agreeing it's true but for a good cause.

I agree it's not BS but apologetic it definitely is. You are justifying a decrease in security for the benefit of usability. This in itself would be a worthwhile goal if it wasn't for the facts that it goes against reasonably expected behavior and as a user I am not made clearly aware of this or given the option to control it.

Everyone is used to being asked for password reconfirmation before changing the password so it figures that they have the same expectation for the 2FA. I know I did.

> There is NO human backup - all emails, google photos, google drive etc GONE.

That's also Google's decision. You can't use one bad decision to justify another. It's likely this 2FA decision wasn't taken to help you get easier access to your account but to allow them to have 0 support knowing 2FA issues are easy to happen especially to people who won't properly save recovery keys (most people).

[rdiddly]

This is the "It's because of our amazing success that we totally fail at things" argument. If you can't do things right "at scale," that's fine, but everyone should know you suck at servicing that level of load, for example the fact that you don't require 2FA to change my 2FA settings, and there's no support path or even a support department for when my phone falls into a port-a-potty.

[anon102010]

You can't change 2FA with just your password - you are being confused by the headline.

You need a second factor. That is either your 2FA device, a backup 2fa, backup codes, an authenticated and still valid login session etc.

If you are security paranoid you can lockout insecure 2fa methods, never validate your device and sign up for their Advanced Protection Program.

Note however, google is VERY clear -> if you lock yourself out it is game over. They do not allow humans to override the lockouts -> period. This is obviously good for security. All the folks here complaining about this supposed 2FA issue while asking for human support to allow login override / resets really have no clue about the GIANT security hole that opens.

Witness all the sim card hijacking done through phone co's (that do allow human involvement).

Google is CRYSTAL clear.

Q: Create a replacement Google Account

A: If you still can't get into your account, create a new one.

Q: Why can't I get into my old account?

A: We couldn't be sure that you're the owner. To keep accounts safe, we can't give access to them if we can't confirm who the owner is.

They've closed the big hole (human override / corruption / bribes / social engineering). And have made it so that you have only a bit of extra risk to stay in your account. Don't like that? Don't authenticate your devices as trusted.

[asdfasgasdgasdg]

> but everyone should know you suck at servicing that level of load

I think that mission is pretty well accomplished, right? I mean it is basically a meme at this point that Google has declined to spend the money that would be required to offer high quality interactive support for unpaid consumer accounts. Apparently people value their services more than they are concerned about the risk of needing support.

So, within that framework, the important question for both the consumer and for the service provider is what the best security trade-off is to accomplish their various goals. I think there's a pretty compelling argument made in this thread that the current stance is more optimal that requiring reauthentication for the vast majority of stakeholders.

[rdiddly]

Have to agree, though maybe not with the tone. Speaking in absolutes, the whole point of security is to make things unusable. Then for the resource owner we open up a small hole that only they can pass through, by some proof, of varying strenuousness. Wouldn't it be so much more usable if they didn't have to do that? Yes but other people would then find it "usable" as well.