[deepsun]

> Fundamentally, this was google's fault

Or yours, for not caring about 2FA. It's been a common practice for many years, and strongly recommended by most identity services, as well as OWASP and NIST recommendations.

What would you do in Google's place?

[wl]

I have the same issue. At the time I created the account that I'm locked out of, Google said nothing about these "recovery" email addresses as 2FA. Years passed without any notice that maybe they were going to lock me out of an account I have the password for. No notice that I had better have access to that "recovery" email address that I hadn't bothered to keep up to date because I never thought I'd need to "recover" the account from Google. (In my case, it's an old .edu email address that I was promised "for life".)

If Google wanted to lock me out of my account for my own good until I enabled 2FA, fine. But as GP stated, they abused the recovery email addresses to force 2FA on people and ended up locking some people out of their accounts.

[dataflow]

> No notice that I had better have access to that "recovery" email address that I hadn't bothered to keep up to date

The rest of your complaints make sense but this one is bizarre. It's a recovery email, isn't having access to it the entire point? Like what else did you think it was supposed to be there for beside being accessible?

Google clearly misused it for something else, and you have a strong argument they shouldn't have. This one sentence just needlessly weakens the argument.

[cwillu]

The point is that an or relationship was silently converted into an and relationship, which is a _very_ different relationship between two factors.

[wl]

I never expected to need to recover the account because I used a strong password stored in a password manager that I had adequately secured and backed up.

[simoncion]

Exactly.

It was pretty sobering when Google demonstrated to me a new and novel way that made them the actual threat to my account security. I thought that by carefully refusing to publish anything with their add-ons (YouTube, Docs, Android Store, etc, etc) that I'd avoid getting swept up in an autoomated account-wide bannination, but, nope. A perfectly ordinary login to the account I'd had for years from the exact same location and IP address I'd used the day before was "suspicious" and required "recovery".

[8cvor6j844qw_d6]

> old .edu email address that I was promised "for life"

Best treat all org controlled email address as temporary.

[Telaneo]

Not add 2fa automatically, but instead prompt with options to add it.

This probably doesn't comply with the relevant recommendations, but cutting a user of from their email is worse in my opinion.

[deepsun]

I'm sure Google prompted author for years begging to turn the 2FA on, as well as warning that they will enforce it on day X. Author ignored them all.

[mulmen]

Why is 2FA so critical it’s worth proactively breaking the user? What’s the even more bad thing that would (not could) happen to the user if 2FA was not enabled?

[namibj]

Password database leaks turning into spam/proxy farms of very well aged accounts.

[mulmen]

That’s a could.

[Telaneo]

That doesn't make forcing it any less wrong.

[mindslight]

Not force nonconsensual authentication methods onto users.

Google is one of the rare places I actually see positive value to 2FA. Compare with say banks, where it being demanded actually decreases my security. But regardless, it should not be forced.

[deepsun]

As for the banks I doubt it decreases security. Even SMS 2FA actually reduces fraud by 90%+ percent.

Yes, some banks implement it silly, like SVB requiring biometric login in order to scan one-time QR 2FA code from their app (biometric login is less secure), but you don't have to use the QR code, can use regular 2FA without biometrics.

But even then having 2FA is 42 times better than not having it.

[mindslight]

For US banks, the most important thing you can do to prevent fraud is to check your account transactions every 30 days so that you can report fraudulent transactions in a timely manner and have them reversed. Anything that increases friction of logging into your account thus decreases your security.

[deepsun]

But then millions of users would stay unprotected from password sealing (see https://haveibeenpwned.com/).

They certainly did a proper thing forcing people to use 2FA AFTER multiple emails over the years recommending to turn it on, and warning that they will enforce it, which they did.

[saidnooneever]

nonsense. any feature should have acceptable failure modes. blaming the customer for a fault they have no control over is not acceptable. many people know nothing about 2FA. it is not their responsibility. 2FA is a symptom of shitty designed systems which are inherently insecure and companies who dont give a shit about that and let their customers shoulder the burden by shoving complexity down their throats.

if you make an app it is not your customers responsibility to secure it with additional actions from their side..if it is, you need to make it mandatory and guide them step by step.

you cant after a while enable some toggle.and tell people to fuck off and its the fault of their ignorance to not know some technical details.

most consumers of these services dont know shit about IT and they should not be burdened with it..any product that demands it is either only meant for tech savy people or more likely lazily and badly engineered by money hungry people who see opportunity to make more money in user's issues.

[deepsun]

> many people know nothing about 2FA

That's why Google sent them multiple emails explaining what it is and recommending to turn it on. What else could Google do?

[YeahThisIsMe]

Not just turn it on without their approval.

[harimau777]

Provide a way to resolve the issue in the very foreseeable situation where someone doesn't read the emails an add it.

Is it possible that you use email differently than most people? I virtually never actually check my inbox. I'm either reading an email that I knew was coming (e.g. an order confirmation with a shipping link) or I'm searching for something specific. So no matter how many emails Google sends I'm unlikely to read them.

[happymellon]

2FA falls under the same criteria as mandatory password rotation, and "has to have special characters". Those were NIST recommended for a long time too.