| ▲ | deepsun 5 hours ago | |||||||||||||||||||||||||||||||
> Fundamentally, this was google's fault Or yours, for not caring about 2FA. It's been a common practice for many years, and strongly recommended by most identity services, as well as OWASP and NIST recommendations. What would you do in Google's place? | ||||||||||||||||||||||||||||||||
| ▲ | wl 5 hours ago | parent | next [-] | |||||||||||||||||||||||||||||||
I have the same issue. At the time I created the account that I'm locked out of, Google said nothing about these "recovery" email addresses as 2FA. Years passed without any notice that maybe they were going to lock me out of an account I have the password for. No notice that I had better have access to that "recovery" email address that I hadn't bothered to keep up to date because I never thought I'd need to "recover" the account from Google. (In my case, it's an old .edu email address that I was promised "for life".) If Google wanted to lock me out of my account for my own good until I enabled 2FA, fine. But as GP stated, they abused the recovery email addresses to force 2FA on people and ended up locking some people out of their accounts. | ||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||
| ▲ | Telaneo 5 hours ago | parent | prev | next [-] | |||||||||||||||||||||||||||||||
Not add 2fa automatically, but instead prompt with options to add it. This probably doesn't comply with the relevant recommendations, but cutting a user of from their email is worse in my opinion. | ||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||
| ▲ | saidnooneever 4 hours ago | parent | prev | next [-] | |||||||||||||||||||||||||||||||
nonsense. any feature should have acceptable failure modes. blaming the customer for a fault they have no control over is not acceptable. many people know nothing about 2FA. it is not their responsibility. 2FA is a symptom of shitty designed systems which are inherently insecure and companies who dont give a shit about that and let their customers shoulder the burden by shoving complexity down their throats. if you make an app it is not your customers responsibility to secure it with additional actions from their side..if it is, you need to make it mandatory and guide them step by step. you cant after a while enable some toggle.and tell people to fuck off and its the fault of their ignorance to not know some technical details. most consumers of these services dont know shit about IT and they should not be burdened with it..any product that demands it is either only meant for tech savy people or more likely lazily and badly engineered by money hungry people who see opportunity to make more money in user's issues. | ||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||
| ▲ | mindslight 5 hours ago | parent | prev [-] | |||||||||||||||||||||||||||||||
Not force nonconsensual authentication methods onto users. Google is one of the rare places I actually see positive value to 2FA. Compare with say banks, where it being demanded actually decreases my security. But regardless, it should not be forced. | ||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||