|
|
|
|
|
|
by rdiddly
2164 days ago
|
|
|
This is the "It's because of our amazing success that we totally fail at things" argument. If you can't do things right "at scale," that's fine, but everyone should know you suck at servicing that level of load, for example the fact that you don't require 2FA to change my 2FA settings, and there's no support path or even a support department for when my phone falls into a port-a-potty. |
|
|
You need a second factor. That is either your 2FA device, a backup 2fa, backup codes, an authenticated and still valid login session etc.
If you are security paranoid you can lockout insecure 2fa methods, never validate your device and sign up for their Advanced Protection Program.
Note however, google is VERY clear -> if you lock yourself out it is game over. They do not allow humans to override the lockouts -> period. This is obviously good for security. All the folks here complaining about this supposed 2FA issue while asking for human support to allow login override / resets really have no clue about the GIANT security hole that opens.
Witness all the sim card hijacking done through phone co's (that do allow human involvement).
Google is CRYSTAL clear.
Q: Create a replacement Google Account
A: If you still can't get into your account, create a new one.
Q: Why can't I get into my old account?
A: We couldn't be sure that you're the owner. To keep accounts safe, we can't give access to them if we can't confirm who the owner is.
They've closed the big hole (human override / corruption / bribes / social engineering). And have made it so that you have only a bit of extra risk to stay in your account. Don't like that? Don't authenticate your devices as trusted.