[Handprint4469]

I bought an iPhone a couple of days ago, and was planning on using the weekend to finally migrate from my old Android phone. Luckily, I haven't even opened the box so I should be able to return it for a full refund. No way I'm spending over $1000 for this kind of experience.

[yannis]

Black swan events can happen to you. Recently I traveled to a European country from my base (Middle East). I normally take my phone and laptop with me and they are synced. I forgot the laptop charger and could not get one locally not at least for about a week and then dropped my phone and it got damaged. I bought another phone (Adroid) and tried to log in to by google accounts. It recognized the email and the pswd but then wanted verification from the original device! Despite having the original sim in the new phone.

On my return everything went smoothly through my laptop. Scary though.

My conclusion - have two physical phones + laptop all synced, plus hardcopy of important pswds etc.

Data is easier to protect by offline and online back-ups, but your online identity is hard.

[hedora]

I had a similar experience with google a while back.

My conclusion: Eliminate what little remaining usages of their services I have.

Doing that with iCloud and Google would be a colossal pain. This event has me thinking more seriously about self-hosting a few more things.

[HenryBemis]

> My conclusion: Eliminate what little remaining usages of their services I have.

This. I never used the Apple's Cloud offerings to backup things - and I stopped using any Apple devices since the BatteryGate. I semi-degooglify my Android(s), and never use the "Google-*" (contacts, calendar, etc.). I block them with NoRoot Firewall and disable them, and use other apps for those services. I sync with my Oulook (2013) and my backup is with Carbonite. I do have to jump through a couple of hoops, but considering that I don't live under the threat of 'death' by Apple or Google to hold me hostage with my data/etc, the little effort is well worth it.

[rufus_foreman]

>> I never used the Apple's Cloud offerings to backup things

I try not to, but every year I log in and check and there is data stored in their cloud that I specifically tried not to have stored there.

[genevra]

Exactly. I recently had the same experience of being locked out when I lost my old device and had no recourse. My conclusion was the same and I've stopped relying on all Google services except Gmail.

[pmarreck]

> when I lost my old device and had no recourse

Well, if you used Google 2FA, the Authy app exists, and allows you to securely store 2FA in the cloud (as long as you remember your Authy credentials).

If you don't, then yes, your physical phone essentially becomes a dongle and if you lose it, you're screwed. Perhaps they don't educate users enough about this, but that's the fact

[layer8]

Don't bind your online identity to Apple or Google or Microsoft, in particular not the email addresses you use for accounts. That at least limits the damage they can do.

[CydeWeys]

Fundamentally it's going to be be bound to someone though. If you run your own domain to host your main email address, you're now bound to the registrar's login to manage that domain name, and also the cloud provider you're using to host the mail services (unless you run that off a machine you have physical access to).

[kelnos]

Sure, but I'd much rather be bound to a domain registrar, where I'm paying them for a small, well-defined, self-contained service, where I have recourse if they do someone shady to me.

For Google/Apple/etc., I'm either not paying them at all (in which case they have very little incentive to help me off someone goes wrong), or I am, but for a basket of services. The identity portion of those services is probably not what that company is focusing on providing, and any weirdness with any other service in that basket could cause me to lose my access to the identity bits, often without recourse.

[layer8]

Yes, but you can choose a medium-sized, established registrar with a functioning human support desk, where you are the customer instead of the product driving hyperscale ad revenue. The hosting provider is not an issue, because you can switch very quickly to a different one if needed, and only have to change your DNS entry at the registrar, or whatever you use as your nameservers. Depending on your country’s jurisdiction, you also may have some legal rights to the domains you acquire under the country TLD and are not exclusively at the mercy of the registrar.

[EasyMark]

If you use your own domain, open source software, and backup often they can't lock you up forever like Google/Microsoft/Apple tho

[CydeWeys]

You're missing my point that you're still beholden to the domain name registrar that manages your domain name on your behalf. That account getting permanently locked out will have all the same bad consequences for your online life as your Google account getting locked out.

And keep in mind that being a domain name registrar is a low margin business (typically they're only grossing a few bucks per domain per year, before accounting for any other expenses like staffing and systems), so you're not gonna get great support.

[the8472]

My understandingis is that legally you own the domain and the registrar is only managing it on your behalf and they are required to transfer it to another registrar if they terminate you as a customer. As recently happened for russian users on namecheap for example.

[qingcharles]

This. My TOTP 2FA for Namecheap just stopped working one day, despite nothing changing. I was totally locked out. I got lucky and their support was helpful and we reset it after a few hours, but it made me realize that there is no way to be 100% safe.

(My Google account is dead even though I have the username, password and recovery email which forwards to me since I don't have the phone number)

[wwweston]

At some level, every business has incentives to minimize what they provide you vs what you provide them. But even low margin businesses where you’re the customer are more likely to have incentives and structures built around paying attention to you than low margin per user businesses where users aren’t the customer but part of the product.

[imwillofficial]

I don’t think anyone is arguing that they can get away from the chain of trust required to operate in the modern world.

I believe they are advocating for minimizing risk by not deeply integrating with capricious cloud providers.

[lanstin]

I host my own email service and several times have had the registrars get sold and once sold and then the purchasing registry discontinued the registry service, or maybe the secondary DNS. They generally have support that at least understands how DNS works, which I find surprisingly rare among tech folks.

However the big problem is I am frequently banned from emailing gmail or office365. Never Apple for some reason. So I can read email but I can’t that well send it. But I don’t really care much, mostly people have to tell me out of band to check my email if they have sent me email. My email sessions are mostly a review of current spam practices and questionable emails from firms I have done business with.

[Animats]

The backup for that is a registered trademark on the domain. Recovery via ICANN procedures is slow, though.

[account42]

Registrars are beholden to the registry and ultimately to ICANN rules (for classic TLDs at least. They can't just fuck you over whenever they feel like in the same way that Google/Microsoft/Apple can with their services.

[paulmd]

Some failure states are unique to people who exist in these weird edge-case states though. Like the person who had their luggage stolen, the person registered the laptop to their own account, then returned it still paired. And apple wouldn’t un-pair it from Find My even with a police report documenting it all, therefore it’s bricked.

(And to be fair to apple here - they didn’t do anything wrong here, strong end-to-end security inherently means allowing these states. Otherwise the cops could order apple to unlock it too, and apple wouldn’t have a moral ground to object if they’re regularly performing the task in other circumstances. Otherwise people could social-engineer apple support to unlock a stolen device, or their partners. To a certain mindset, google and apple not having any real support is a strength because there’s no way to social-engineer your way past the actual security. But people want both the idea of E2E security and the convenience of being able to remotely un-register a laptop from someone else's account...)

Anyway, that failure mode wouldn’t exist if they were logged in to their account, and e2e encryption makes that a very low-risk thing overall.

Apple can’t see where to it devices are anyway, without doing a song-and-dance to authorize the session on a pre-authed device. Airtags and iphones have a rolling hardware identifier for bluetooth and wifi based on a cryptographically strong pseudorandom sequence, and apple can't correlate the identifiers back to an actual device without a pre-authed device relaying the sequence from your account. Etc etc.

Apple have actually done the legwork to make sure they can't see anything (or be forced to reveal anything) if you don't want them to (by enabling E2E), and that actually does drive a lot of "user-unfriendly decisions". And sure, android people will say "that's awfully convenient", but, the end state is still a lot stronger than any other major offering regardless of why you think they're doing it.

[notyourwork]

There really isn’t a good solution for this for the masses, is there?

[layer8]

Buying a domain is not difficult, nor is configuring it with a mail service like Fastmail. Yes, it’s slightly more involved than signing up at GMail, but it’s less complicated than doing your taxes (YMMV). The more people do it, the more helpful resources and service would appear for it. The problem is most people don’t care until they get unlucky and their account gets cancelled for inscrutable reasons. It would be better to have regulation that protects users.

[stouset]

The risk of an average person forgetting to update their credit card details and irrecoverably losing a personal domain is almost certainly thousands of times higher than them being accidentally and permanently locked out of a Google or iCloud account.

[layer8]

Where I live, the most common payment method for such services is direct debit from your bank account, where the details never change unless you switch banks; and in the rare event that you switch, you can make use of a service that banks are legally required to provide for transferring debit mandates to the new account. I bought my first domain about twenty years ago and never had to change anything regarding payment.

[notyourwork]

Although I can and have managed domains and mail services, I don’t agree that what you described is for the majority. Do you really think that’s true?

[layer8]

In the current state, the majority will need some help, similar to how they need some help when something goes wrong with their laptop. But as I said, if this would become a more widespread practice, more services would become available that make it easy and that help in case of trouble.

The biggest impediment is probably that most people aren’t willing to pay (say) $10 per month for a domain and email hosting like they do for streaming services, because they’re used to email being free. So they remain at the mercy of the big providers.

But I can at least encourage the HN crowd here to move to independent services and to use their own domain.

[adamomada]

You can use your own domain with Google at least, and I’m guessing Microsoft as well. It could be a good middle ground where you control your email and just let google,etc use it for the time being. It looks just like gmail but you can always get out if you have to.

[CatWChainsaw]

Which is why they make it so hard to avoid doing this.

[layer8]

Using your own email account doesn’t generally make things more difficult.

[CatWChainsaw]

I'm thinking of Microsoft Accounts on PCs and how you need to know how to jump through hoops to avoid them at OOBE. And about how this is about AppleIDs and losing them - it's my understanding that Apple is less aggressive about AppleIDs than Microsoft is about Microsoft accounts, but also, TFA. Google has similar levels of fuckery especially if you're on Chromebooks but Google's sin is nonexistent customer support. I wouldn't want my most important email address to be tied to any of these three, although I speak as a gmail-using hypocrite who plans to change that soon.

[toast0]

The thing that really bugs me about Google is you can make an account tied to an unrelated domain, but then they don't let you use that for a lot of things, so you're forced into a gmail account.

[rchaud]

iTunes didn't even allow you to add your own album art. To do so you had to be signed in with Apple ID, so Apple could look up the album details on the iTunes store and set the image that way.

This was in 2008, so the software ecosystem lock-in strategy was already well-established back then.

[imwillofficial]

I was adding my own album art to ripped CDs since well before 2008.

[lapcat]

This is utterly false: https://www.youtube.com/watch?v=bnBsIAiZfFc

You could always edit artwork in iTunes. Indeed, you could import albums from your own CDs and not even use the iTunes Music Store at all.

[rchaud]

The video you linked is from 2015, almost a decade after the time period I referenced in my comment.

[ssl-3]

Or, keep a set of single-use backup codes for 2FA. Google offers this[1], though I don't know if Apple does or not.

Storing them seems problematic, but it really isn't: They're just random-looking 8-digit numbers and nobody but you needs to know that they belong to your Google account.

Or, KISS. If you're happy with the idea that the SIM card controls the key to the castle, as it seems that you are, then: Put a backup code in a contact in your SIM card. (It is kind of a lost art these days, but SIM cards are still data storage devices here in 2024.)

[1]: https://support.google.com/accounts/answer/1187538?hl=en&co=...

[gruez]

> It recognized the email and the pswd but then wanted verification from the original device!

Did you have 2fa enabled by any chance? I have 2fa via TOTP on my accounts and while they offer using a signed in phone as a verification option, using TOTP was always an option, and I was never locked out of my account.

>Despite having the original sim in the new phone.

That would only help if google had some way of tying the installed sim to your account. Given the privacy implications and the technical difficulties, I wouldn't be outraged at the fact it didn't take your sim into consideration.

[yannis]

Yes I had 2fa + OTP, however being a new phone they still ask you to tap on the old phone.

[gruez]

Are you talking about a prompt like this[1]? If so, there should be a poorly named "more options" or "don't have your phone?" link that gives you the option to enter your TOTP code instead.

[1] https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh...

[theragra]

I vaguely remember situation where it was not possible for me to choose such option, but I don't remember details

[TeMPOraL]

> My conclusion - have two physical phones + laptop all synced, plus hardcopy of important pswds etc.

And then say, Meta decides to ask for login verification on your other device, and you lose that account because you always logged to it through a browswer in private mode, so no device actually has an active session. Happened to my wife the other day.

IT "Security" is reaching new heights of being bullshit. You can't win, and asking people to buy multiple devices and keep them continuously in sync is a bit much, and not even a guarantee of safety anyway, as next week Google or Amazon will hit you with some next weird trap to keep you "sekhure".

[zadokshi]

I can easily imagine an AI algorithm noticing a user has two phones, and deciding that is out of the ordinary and suspicious, and locking you out of both.

[gruez]

>IT "Security" is reaching new heights of being bullshit. You can't win, and asking people to buy multiple devices and keep them continuously in sync is a bit much

You likely don't need to buy multiple devices. I log in from random countries/VPNs all the time and never have issues, but I do have 2fa enabled. If your account only has a password and there was a suspicious sign in attempt, it's reasonable for them to ask for additional verification somehow because you could be a victim of a credential stuffing attack. It's hard for companies to win here. Either people complain about their accounts getting randomly locked because they were on vacation in Romania and tried signing in on a new device, or the companies get grilled by the media for "failing to proactively protect their users' data" or whatever.

[TeMPOraL]

I would agree with you if there actually was anything different in a suspicious way about those logins. There weren't. Same devices, same ISP, same browsers, not even an OS update in between. Just one day, few days ago, out of the blue, Facebook decided to pop up a conformation request, offering no alternative to confirming from "another device", and that's with them knowing (or at least having that information available) that there are no live sessions of that account (the whole browser in private mode thing).

Maybe the companies can't win, but they also have themselves to blame. They shouldn't have convinced people to entrust their only copies of data with them. Your vacation photos should not depend on someone's cloud platform. Half of your entire offline life shouldn't depend on Google not randomly locking you out of GMail. But here we are, and I'll keep calling those "security updates" bullshit because they don't care about long tail, and they don't care about hazards they create for most of their users.

[figglestar]

My experience with Meta is it is just a PII fishing expedition masquerading as a security check.

I abandoned my facebook account when they asked for my driver's license scan, a few weeks later suddenly they didn't need it after all. My BIL recently wanted me to check sout omething he had setup on facebook and I found I could "login" by clicking one of the "what are people doing" spam emails they send. I've never used it on this PC before and have no idea what the password even is anymore. Super secure.

[GoblinSlayer]

What would happen if you send them a realistic, but fake generated scan?

[dns_snek]

> and that's with them knowing (or at least having that information available) that there are no live sessions of that account (the whole browser in private mode thing).

Unless you explicitly logged out, they likely to see the opposite picture, i.e. numerous "valid" sessions (as opposed to active) that haven't been used for varying lengths of time because you logged in, but from their perspective, you never logged out. You just cleared your cookies which means the session is still "valid", even if it's inaccessible to you because the session cookies have been cleared from your device.

I don't know if they take any of this into account but as you've pointed out, assuming that the rightful owner of the account must have access to a different session is a huge assumption to make.

[GoblinSlayer]

That's the reason to setup 2fa, because otherwise monopolies can legally kick you. Well, they can kick you anyway, because they are monopolies.

[TeMPOraL]

2FA makes it easier, not harder, to lose access to your account though.

[treflop]

1. Use two-factor auth.

2. Save those backup codes.

3. Be able to get those backup codes in some worst case scenario.

I have had to start from scratch before but never have been locked out.

[marcosdumay]

4 - Discover that those backup codes are useless because the service provider will refuse to acknowledge them when you travel.

The fact that we are stuck with a pair of global apathetic undemocratic identity providers is absurd. And one of the reasons why that "shattered dream of passkeys" is on the front page. At least that dream got shattered, it would be worse if it went through.

[r00fus]

I need to hear more about this scenario.

[andersa]

This is standard Google behavior. Logging into Google on any new device always asks me to confirm it on one of the other devices that are logged in (i.e. phones, tablets). Suppose it's some kind of 2FA.

[yannis]

I understand the security concept of it. Luckily my trip was short. As I also use wechat to communicate with some Chinese friends, my experience was different. First it send me an OTP on the new phone, then asked for two friends to send a number to the phone. Luckily I had the phone number of one and I managed to restore and to be honest having humans in the pipeline was a plus. Negative this had to be done over 5 minutes otherwise you back to square one.

[BiteCode_dev]

A google account is not required to use an Android device.

So if you don't tie all your contacts, sync and backup to your google account, you can have a phone that they won't lock you out of.

[SkyPuncher]

This is actually great. You basically look like a stolen device with a sim swap.

[05]

How would the thieves know the password? Even unlocked iPhones don’t show saved passwords without Face ID prompt..

[SkyPuncher]

A reused password that was breached somewhere else.

[fauigerzigerk]

>My conclusion - have two physical phones + laptop all synced, plus hardcopy of important pswds etc.

Why do you need more than a single phone plus a hardcopy of your Google recovery codes (assuming you know your Google account password)?

[CatWChainsaw]

In case one phone doesn't work or is lost or stolen or broken, I guess. Plus buying a second phone is great for the economy!

Society was collectively sold this deal where if you entrust everything to a trillion-dollar company, you'll be treated well and this sort of thing wouldn't happen. Yet it appears to be happening, and the trillion-dollar company that has the resources to deal with this so far isn't being very helpful, and it's falling to the consumer to take insane amounts of proactive measures to not have their digital lives fucked up when the exact deal was that you wouldn't have to, but of course now the party line will be "well you were obviously stupid to believe the trillion-dollar company's trillion-dollar marketing, then."

And I'm annoyed as one of the people who did not buy into it.

[rchaud]

Even more damaging is the lie that modern tech continues to sell people: that they're too stupid to use computing technology, and all the restrictions of the platform (relative to real computers) are actually for their benefit and not the corporation's.

[CatWChainsaw]

And, almost everything is a "computer" nowadays, from your phone to your car to your refrigerator, but only the OG computer is even remotely "fixable" to the average consumer. All the others, you're hamstrung and forced to go through official channels for subpar, marked-up service because if you try to do anything yourself they'll brick your device and maybe sue you for good measure.

[adamomada]

I think the modern definition of computer is something with a screen and keyboard. While you’re right that almost everything has a chip in it, calling your fridge a computer is disingenuous.

[gwerbret]

> Why do you need more than a single phone plus a hardcopy of your Google recovery codes

Because, as I can tell from a similar experience to GP's, they also won't save you if the authentication infrastructure decides you're not who you say you are.

[fauigerzigerk]

If I lost my phone, I would still have access to three different recovery methods:

- I have my recovery codes

- I have access to my recovery email address

- I have access to a TOTP token

I would hope this is sufficient to persuade Google's authentication infrastructure to let me in.

[shanemhansen]

As I learned in Google SRE: "hope is not a strategy"

[fauigerzigerk]

Hope is part of every strategy that doesn't have infinite cost.

[cddotdotslash]

Google has done the exact same thing in the past, deleting Google accounts without warning (which is arguably worse because not only can you not access your phone backups but your email, calendar, drive, etc. is gone too).

[bdw5204]

Companies that wrongfully ban or delete email or phone accounts need to be civilly liable and this civil liability needs to supersede any arbitration agreement or terms of service agreement.

An Apple or Google account is far too important to people's lives to let them hide behind the "we're a private company and can do whatever we want" canard. They do need to have the right to ban spammers or people using YouTube or Drive to infringe copyrights but just randomly shutting off somebody's email or somebody's ability to make video calls should be against the law. The same would also apply to a text chat company like Slack or Discord banning somebody's work account for no reason. Certain tech companies have government-like levels of power over people's lives so they need to be restricted in how they can treat users like the government is restricted in how it can treat citizens.

[oops]

> which is arguably worse because not only can you not access your phone backups but your email, calendar, drive, etc. is gone too

Some people use iCloud for email, calendar and storage so for them I imagine losing access to Apple ID would be just as bad.

[TeMPOraL]

Yeah, and to stress the point: this is not "can't send vacation pictures to my grandma" bad, this is "might lose my company/my job and my house" bad, as everything else in life treats one's email (and increasingly, app 2FA) as infallible backup.

[cal85]

Apple lets you return anything, opened and used, within 14 days.

[PedroBatista]

Apple doesn’t really “let”, the law demands.

[cal85]

Interesting, is that in the US? I’ve never heard of that being required by law in the UK. I think it’s just an Apple thing here. I mean we obviously have laws about refunds etc but I don’t think we have any law saying you can open any product and start using it and then return it even if you have no complaint with it.

[PedroBatista]

There is no uniform law. In the EU most countries have this type of laws but they all vary in the duration and scope. In the US is more or less similar as it varies by state and many don't have any laws regarding this.

But even the more permissive laws have many exceptions, like not applying to perishable goods, underwear, lipstick, etc. and it's heavily tilted for unused products or very light us that doesn't affect the value of the product when re-sold.

When the product doesn't work like in the case of this Apple situation, it's not even a question. As long as the hardware is not damaged and everything is return, "the law" completely sides with the consumer.

[adamomada]

They do eat the restocking fee that others would charge, taking the haircut on refurb sales

[jjallen]

What are the odds of having this experience? Shouldn’t they affect your behavior?

[recursive]

What's your recommendation? Try it 1000 times to get statistics?

Likelihood should affect your behavior in the same way it affects whether it actually happens and it did.

"Fool me once..."

[1123581321]

One in a thousand wouldn't yield anything. Because it's such an unusual experience (just a few of these happening around the same time would create a news cycle), one in ten million is probably closer since there are around a billion active Apple accounts.

That's similar to the odds of dying in a non-Boeing plane ride. Even if the odds were one in a million, that's about the odds of being struck by lightning over a lifetime.

I'd think someone returning a phone over this was regretting the switch for other reasons. It's fine to keep using Android.

[recursive]

This is a reasonable point of view I guess. But there's not really a reliable way for the consumer to get the real probability. If it happened to me, it's likely enough to consider. Maybe there's a hidden variable about my usage pattern that makes it more likely. Since it's totally opaque, there's no way to know.

[1123581321]

Sure, if actually happens to someone, they're rightfully not risking it again. If for no other reason, it'd be likely that a fresh account would be detected and associated with the old one. Plus, whatever unusual situation of yours triggered the ban, such as border crossing or how you route your Internet traffic, would probably still apply. (I'm not saying someone is doing the wrong thing if those things are the case for them.)

[jjallen]

My recommendation is to not make a decision that goes against the grain based on a single anecdote you read on the internet