Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
r1ch 7 hours ago

I recently had to go through the recovery flow for an admin account and it was wild. Despite Google manually unlocking the account and giving me a reset link, every login was forced to authenticate via SMS using the (removed) phone number. Luckily I was able to get a hold of it and get the code, but even after adding a TOTP and security key 2FA, further logins still required SMS.

It feels like the security team made this change to reduce account hijacking but it's at complete odds with the recovery flow and modern security practices. Better hope your phone number doesn't get hijacked or recycled because it's the key to your account now, security keys be damned.

qingcharles 5 hours ago | parent [-]

Google enabled 2FA on my Gmail account without any prior notice. I have the username, password, recovery email, and all emails from the account are forwarded to my Fastmail, but I can't ever log into the account again because it is trying to do 2FA by SMS to a number I don't have.

I've tried everything to find someone inside Google to fix this, but so far no luck. At least with Meta you can find someone on a forum like Swapd who will take a small bribe to fix these issues.

subscribed 4 hours ago | parent | next [-]

You could rephrase this meta thing as "Meta employee can successfully coerce an adult into sex by promising Instagram account unban" - more accurate IMO: https://showtime-fqi8q.s3.amazonaws.com/onlyfans-star-slept-...

subscribed 4 hours ago | parent | prev | next [-]

My SO has identical situation. Identical. She still receives emails for this account because she set forwarding years ago, I still get notifications because I'm set as a recovery account, but without the phone she doesn't have for the last 15 years we have no way of logging in.

We have everything else but this alone is not enough.

atomicfiredoll 5 hours ago | parent | prev | next [-]

Very similar situation. I could even see information being sent to the recovery email. So, when the time came to setup my business, I chose Zoho and avoid Google whenever possible.

justinclift 5 hours ago | parent | prev [-]

> At least with Meta you can find someone on a forum like Swapd who will take a small bribe ...

That sounds like its own kind of problems. (!)