Hacker News new | ask | show | jobs
by nalllar 1275 days ago
Removing security keys that have been registered for years is very unlikely to be the right move even if my device has been compromised, as they are one of the most reliable ways I could prove I am the original account owner at some later point.

If the message had stated "We have removed recently added security keys" I would be a lot more understanding!
2 comments
lamontcg 1275 days ago
If you had your recovery keys stored in a note on lastpass you might have wanted to rotate those as well recently.

Yeah, in theory those recovery keys should still be secure, but you know for certain that a hostile attacker has the encrypted secure note, and without any confidence in lastpass it makes sense to change them as well.

Unfortunately this means you look exactly like someone doing an account takeover and changing the password and recovery keys on the account.

link
nalllar 1275 days ago
Thanks for the heads up.

I don't use lastpass, but if I did I wouldn't have to because this "Just to be safe" process also reset/removed the recovery keys.

link
ehsankia 1275 days ago
> registered for years

Right, that's likely the "bug" part. On HN of all places, people shouldn't be surprised that bugs happen.

link
nalllar 1275 days ago
Unfortunately due to a lack of customer support posting here gives me the best chance of getting it fixed!

If google had working support flows I would not have written this up or posted here about it.

A few years back I lost access to a different google account as the recovery phone number was a landline and google was trying to send SMS messsages to it. I had the right password but it thought I was suspicious and insisted on SMS verification. I never managed to reach a human to get something done about the issue.

link
sofixa 1275 days ago
> Unfortunately due to a lack of customer support posting here gives me the best chance of getting it fixed! > If google had working support flows I would not have written this up or posted here about it.

They do, you just have to pay for that privilege via Google One.

link
nalllar 1275 days ago
If you are locked out you can't access Google One's support.
link
sofixa 1275 days ago
My understanding is that you can always call them, even if your account is blocked.
link
nalllar 1275 days ago
I don't have it but it looks like you have to initiate the call from the Google One page and they call you, they don't have an inbound number.

Googling "google one phone number" did show me a potential scam result in the infobox at "gooogle-live-personn" on google sites that obviously isn't official. You can't make this stuff up.

link