[akoboldfrying]

> Fundamentally, this was google's fault for misusing a recovery email for 2FA.

While this would absolutely suck and I sympathise with anyone getting hit by this out of the blue, it's pretty clearly your fault, not Google's. What should they have done? Just permit everyone to avoid upgrading to 2FA indefinitely? That would result in relatively more account hacks overall, for which they would inevitably be roasted in the court of public opinion.

[spaqin]

I'm tired of 2FA. Absolutely the worst when setting up a new phone after losing the old one. A whole bunch of mixed methods, in 2 hours between installing all the apps again, getting text messages, installing authenticators, scanning IDs, taking selfies, receiving phone calls with spoken codes, grabbing another device that still somehow has access, twenty emails about new suspicious activity, grabbing recovery codes, or scrambling to find the Yubikey I used when registering for the simplest and most benign services that have no connections to my personal data or payment.

Google will insist on sending a notification to a phone you have no longer access to, and regaining access always feels like hacking yourself. I dread the day I lose a phone together with my SIM card and ID during travel. I will never be able to go back and will have to start a new life as an illegal immigrant, living as a hermit in some deep forest.

[simoncion]

> What should they have done? Just permit everyone to avoid upgrading to 2FA indefinitely?

Yes. I've had online accounts for nearly as long as there's been an "online". The only time I've ever lost control of an account was due to 2FA.

2FA should always be optional for one's personal accounts. [0] People who can securely manage passwords simply don't need it. And if Organized Crime or Mossad wants access to my accounts, 2FA is not going to stop them.

[0] Corporate accounts and hardware are a different matter. You manage those however your employer commands you to manage them.

[justsomehnguy]

The only reason Google does that 2FA dance is to get your phone number 'cuz it tends to be a very strong persistent marker which is very useful for... advertisement.

[akoboldfrying]

I have the same suspicion in general, but isn't it possible to use an authenticator app as the second factor instead of a phone number?

[justsomehnguy]

Try to register a new account without a phone number.

[harimau777]

Personally, if their 2FA doesn't work, then they should definitely permit everyone to avoid upgrading to 2FA indefinitely.

[akoboldfrying]

If their 2FA doesn't work, I agree.

[t-3]

2FA isn't an upgrade, it's an annoyance. If your organization needs secure authentication, it's useful, but as an individual I have only ever been enraged. Making me check my email and phone to log in is a great way to ensure I never use your service again.

[63stack]

I doubt anyone would blame google for not forcibly enabling 2fa.

[akoboldfrying]

I think it's similar to, say, serving raw HTTP instead of HTTPS. If, say, Facebook still served HTTP and people were getting their passwords swiped, Meta would be in the crosshairs.

Even though you could say a person getting their 1FA account details phished is technically "their own fault", certainly to a greater extent than my HTTP example, spending the time understanding the issue well enough to realise that it was their own fault and not BigRichCompany's fault is not high on most people's list of fun things to do.