Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
quadrifoliate 6 hours ago

> He deleted his sole token (Google makes it trivial to add many) in the most fraud signally way possible.

Are we reading the same blog post? He had his password, 2FA authenticator set up, and backup codes -- everything Google asks you to have to be on the "golden" auth path.

He only deleted his SMS authentication path (one thing I don't understand is how he was able to do this in the first place without being logged in), which is in any case the least secure method of 2FA. Also, It should be fairly obvious that SMS is not expected to work seamlessly while traveling, how is this not a scenario that's hit by millions of Google users worldwide?

Spooky23 4 hours ago | parent [-]

We’re hearing one side of the story from a frustrated user recounting a borderline traumatic and stressful event.

The SMS only fallback is when other things have failed and they suspect that there’s been a takeover. Microsoft does something similar to tie it to some tangible thing. I’m not excusing Google. Their exception handling is poor at best. I’ve seen issues at customers where phones left in flight get flagged because of GPS disruptions due to Middle East conflicts, for example. (Phones flagged as having been in Syria or Russia can be kryptonite) One scenario was a VIP whose kid was in Europe with their other parent and the VIP’s tablet, signed into work email.

Other factors apply too - there may be multiple accounts tied to the number that are in different locales, for example. No idea what obnoxious rules Australia and UK add as well.

Point is, this type of shit happens and you should have a contingency.

quadrifoliate 3 hours ago | parent [-]

> Point is, this type of shit happens and you should have a contingency.

Let's work through what the contingency could have been. Always make sure you buy international roaming everywhere you go? Always be able to switch your MX records (from a provider whose account isn't tied to a Google-controlled email)?

They seem to get increasingly less practical to be honest. People travel all over the world everyday, this shit shouldn't be hard for a company like Google that supposedly ingests mountains of data.

More to the point, I think email has become sort of a fundamental right given how much of your identity depends on it. Companies that control this sort of identity foundation need to be heavily regulated, and perhaps nationalized.