[cunthorpe]

This kind of stuff ought to be regulated somehow, one can’t lose access to one’s life.

I recently wasn’t able to recover an old account because I did not have access to my 2FA number and their help site suggested I “contact the phone company to recover the number, then try again.”

I had to do the same exact thing for another service but they did allow me to change the number by providing some information like last transaction, ID, selfie with statement.

[dangerface]

Yup lost my phone for a few months until my provider deleted my number and moved it on to some one else, now I am locked out of my paypal.

I tried to find a pay as you go sim where the number doesn't expire and I would use that exclusively for 2FA but such a sim does not exist in the UK, most expire after 3 months the longest is 6 months.

Now I know this is an issue but it doesn't seem like there is anything I can do to solve it.

[aigo]

I have a Giffgaff SIM for this reason. The expiry is 6 months and I have remembered to use it within that period so far. Not ideal but I would imagine you need a 2FA code more regularly than that.

I wonder if used with a smartphone (mine is in a dumb Nokia) whether you can automated a SMS send or outgoing call once every month or something?

[decrypt]

You could avoid using SMS for 2FA. Most websites offer TOTP as first choice for 2FA. For the ones that insist on SMS 2FA being first choice, I don't bother using anymore. I delete the account and find another provider.

[ylere]

"most websites" has not been my experience at all. Sure, for the big ones like email that's and a lot of dev tooling that's the case. But there's a huge amount of services that requires SMS verification and once you loose access to that number you get locked out. A very common case is loosing ones phone (or having it stolen), at which point you have to log into your accounts again from another device but also don't have access to your SIM anymore.

[gingerlime]

Funnily Google suite does not offer TOTP with Google authenticator… Unless you use SMS/Voice 2FA first… and then you can activate TOTP, I asked if I can then remove the phone number later, and was told that it is possible, and that they won’t use this number for anything in the future. But who knows…

[jonathantf2]

The NHS requires SMS 2FA - can't get around that.

[fluential]

I’ve moved my mobile number to voip using https://www.aa.net.uk/voice-and-mobile/number-porting/mobile... and receive all text messages via mail. Use it for call forwarding when I’m abroad to avoid roaming charges, also sim swap attack seems less possible?

[LinuxBender]

I did that a few years ago but have been finding that every year more and more websites are recognizing the number as VoIP and refuse to send SMS to it.

[probably_wrong]

If you are in Europe, and at least for email, it is regulated.

The GDPR's Right to Data Portability means that a company is obligated to give you access to your personal data - they are within their right not to have you as a customer anymore, but they must give you at least a copy of whatever data they already have.

Of course, you'll probably have to jump some hoops to prove that you are you, but IMHO that's a reasonable compromise.

[dahfizz]

> Of course, you'll probably have to jump some hoops to prove that you are you, but IMHO that's a reasonable compromise.

But how can I prove I own my email if I don't have the credentials / Google won't let me log in?

[probably_wrong]

I wrote about my experience for that exact same situation here:

https://7c0h.com/blog/new/lost_gmail_ii.html

In short, you can send their Data Protection Office a letter demanding access to your data. In my case it took almost three months but they eventually relented and reset my password. I guess a lawyer could have gotten it done faster, but who knows.

[dahfizz]

Did they ever verify the you had the old password / recovery email like you offered? It seems strange to me that they reset an account password because they got many letters asking them to.

[probably_wrong]

All e-mail communications were sent through the same address I gave as recovery address, so they didn't have to ask. It is possible that one of their e-mails was sent to my recovery address instead of my personal address, but since they are the same account I wouldn't know.

[dahfizz]

Ah, that makes sense. I'm glad it worked out for you!

[cunthorpe]

Thanks for sharing this! I'm glad that there's a way

[londons_explore]

Doesn't work with Google. If you cannot log into the account, their legal team won't accept that you are the account holder. Even if you provide passport and driving license etc., they can't be sure, because you didn't upload the passport and stuff when opening the account.

[probably_wrong]

I'm having trouble deciding whether you talk about something that has happened or about something that could happen.

Assuming it's the latter: given enough evidence that you are you (same name as the recipient, deep knowledge of the account, knowledge of the password, etc), any court would rule in your favor and force Google to turn over the account. But I would be willing to bet that, assuming you are no one "special", they would relent much earlier in the process - the cost of the lawyers alone would probably outweight whatever profit they obtain from you, and GDPR fines can be high.

[londons_explore]

But there are also massive GDPR files for handing the data to the wrong person. Inaction is less risky.

[znpy]

Then you can sue, I guess.

[grammarnazzzi]

> This kind of stuff ought to be regulated somehow, one can’t lose access to one’s life.

You can't create regulation requiring anyone or anything be competent and responsible.

If you entrust your livelihood to a company that cannot be trusted, that's on you.

[mountainb]

Yes you can. There are all kinds of regulations. Many entities are held to high standards. They're exposed to liability.

The 'free' era of the internet has been enabled by excessive liability shields granted to shareholders that are collectively worth trillions of dollars, and those riches have been built around callous disregard for the property and rights of billions of people worldwide.

That being said, with Gmail, you get what you pay for. With Google's paid for hosted email, you don't get what you pay for either. It's not a good provider if you ever have any issues with it that cannot be solved by their automated processes.

[znpy]

Imagine applying the same logic to hospitals.

«A malpractice lawsuit? You silly goose!»