My mom got locked out of her 10yr gmail account. She doesn't have access to the phone number she added for 2FA. This is after she has the right password and also has access to the recovery email.<p>This basically locked her out of her whole online life because for all other social accounts she uses sign in with Google.<p>There is no human support, and their support website says if you cannot recover the account, create a new one.
I believe it is time for regulatory support. I know it is fashionable to mock the EU regulatory efforts in the US, but the EU has a tendency to step in once something reaches proportions where regulation is actually needed. Ridiculously high roaming charges, for example, have been eliminated through regulation.<p>Once you are the dominant provider of something that is nearing life-essential utility status, you should provide support and escalation routes, and you should be accountable.
I feel that many of the answers here, which explain what could have been done beforehand to prevent this - are not very helpful to someone who's already locked out of their account.<p>It's never gonna be possible to 100% prevent any possibility that could cause loss of access to your 2FA. Some people will always fall through the cracks - whether that's due to their own negligence, lack of technical understanding or some algorithmic false positive doesn't really matter imho.<p>The real problem here is, that there's nothing that can be done to resolve something like that, AFTER it already happened. Not even if you were willing to pay for support to help you.<p>If you got good contacts, are famous, manage to go viral or something, you might be able to actually get help - but as a regular, boring, everyday person, you're just fucked. The only "advice" you are gonna get is: "you should have done this or that beforehand..." - and the obvious answer to that is: "I would have, had I only known!"<p>The only thing you can do, is post your story on HN and Twitter, and hope someone from Google reads it, and goes out of their way to actually help you - which obviously is AGAINST standard company procedure.
This might sound dumb, but if the phone number belongs to someone else now, could you just call/text them and explain the situation and (eventually) ask them to read you the code or something? Admittedly it'd sound suspicious as heck, but if you're willing to provide sufficient proof of your identity and somehow offer a reward in a safe manner, the person might understand and be willing to help? You'd have to be pretty smooth about it, but it seems worth preparing for and giving it a try.<p>Alternative idea: If you're really desperate, you could even try to dig up the phone number owner's address and show up at their door or something and explain it that way. (Note I'm <i>not recommending</i> these per se; I'm just pointing out what's possible. Obviously be very careful to consider everything before doing such a thing.)
I actually wish there was a way to opt-out of the suspicious login detection mechanism.<p>I've certainly had nerve racking moments where my login has been flagged as unusual and I wasn't sure if it would let me in (and I'm completely locked out of my childhood account though it's not been used in over 10 years)<p>It's a good feature for those with the password "password" but if you've used a strong single use password it just gets in the way
I ran into a situation earlier this year where I tried to log in to my Google account in a pinch on someone else's computer and I could not because, even though I did NOT turn on any fancy 2fa options and had ONLY ever wanted Google to use my phone number or alternative e-mail address (at MOST) for such purpose, they refused to let me log in unless I approved some special 2fa mechanism in the YouTube app I had logged in on a Google Fi Android phone that I only use for testing and had over a thousand miles away from me at my desk. It was ridiculous.<p>In another, non-Google case, Apple once demanded that I provide the answers to challenge questions for an account I didn't use often even though I had my username and password correct. To me, the challenge questions are something that should only ever be used to verify in the case that I <i>don't</i> know my password, and it took me three days of trying against the rate limit to get enough tries to figure out the spelling of the answer for one of my questions. What made it really ridiculous is that the only reason this account existed was to give me access to developer account that was actively billing my credit card that I couldn't access... at least with Apple there was a customer service representative who was willing to try to figure something out as they agreed that it was ridiculous that I was paying money for something I couldn't even log in to cancel (though she wasn't sure if she could actually do anything...).
I'm sorry for the pain it will cause you.<p>I had a similar story with my own accounts.<p>It's just lost forever, luckily I had many others, and didn't associate my whole life to any single account or provider, nor used social sign in, so it was not life altering, just a bit of work.<p>But selfishly, I hope those kind of story get published more and more so that people finally realized that what we told them not to do the for the last 20 years was not just for the sake of it.<p>People don't listen to preventive talks. We see that with cyber security, climate change, and so on.<p>They only start to move when they get hurt.<p>I wished people would have listened to us when we advised not to give everything to GAFAM, not to put everything online, and not everything on one provider. And certainly not to trust them with being on your side.<p>So they wouldn't have to get hurt.<p>But this is not how we, as a specie, learn. We need to get hurt.<p>So make sure a lot of people know about this. Not just in the hope to get the account back, but because maybe more people will listen this time.
The crux of the problem is that gmail is, for billions of people, both their primary email account, which is superbly central to many things that we do in 2022, and the way in which we get authenticated and essentially "manage" our online identity.<p>These two things would ideally stay separate. Of course, an expert in Computer Science would certainly have his/her own tld domain with email, and maybe use gmail only for proper email work, right?<p>Well... Not so sure about that. I'm a tech person myself, and my gmail is my online identity. I would suffer the same fate if I were to go through the same issue as OP's mother.<p>Perhaps there's space here for a startup, or a service, that allows you to fix this. Something that would make regulatory bodies not too unhappy about it.
I know everyone will say "this won't happen to me" but you might be surprised how quickly even a technically savvy user can stumble into this situation with a few wrong clicks of the mouse.<p>In my case, I did the Google "security checkup" and clicked "yes" when it asked if I wanted to improve my security by using my phone as a security factor. I thought this was just going to cause it to generate those helpful "Did you just sign in" prompts. No: that option actually signs you up to use your phone as a hardware security token which requires you to physically connect your phone through its USB port. Guess what doesn't work on my phone? My freakin USB-C port (!!!!). Eventually I found the loophole that signing in from the hardware key device itself prompts you to use a different 2nd factor and I was able to disable the security that way. It boggles my mind that I was able to enable that security option without proving I could actually use the hardware device to unlock first. But it completely activated it without me ever doing that.
Sorry for the stress this is no doubt causing your mother.<p>Unfortunately I have seen similar and they never recovered access. It is just lost to the void that is Google support for their free services.<p>Yes I know it is the risk you run using a free service but I feel there should be <i>some</i> official process for a real human to get involved to get the account back. As you say you can lose access to your whole damn world these days.<p>It is crazy we have so many protections for your account getting hacked yet absolutely nothing to recover the same account should some automated system determine you are not you.
2FA is a step backwards, at least in the way most services implement it where you totally depend on a phone (I know there are other ways to do 2FA).<p>I know that passwords are insecure (or at least, most people's passwords are) but I'd rather have that than tying all my identity to a phone.<p>Since I started using the internet in the 90s I haven't ever had any password-related incident that I know of. Now I have a constant fear of my phone being lost or stolen. I do have an export of the authenticator files, but what if it fails, or if the phone thief starts doing bad stuff since some services are going so crazy with 2FA that they relax the rest of their security? (I have seen Yahoo mail sometimes not asking for password at all, just some SMS code).<p>I only use 2FA where it's mandatory (unfortunately, more and more services) and I wish it were forbidden to make it mandatory, at least in this form where you totally depend on a phone.
That's the problem with 2FA as it is done these days. The second factor is not under your control. It begs the question if 2FA makes your setup more secure or less. In this case, it backfired.<p>People are trusted with their own keys to their apartments, cars and houses.<p>Will we ever trust people with their own keys to their social life?
One of the reasons I pay for Google One storage is that in case something like that happens to me I will be able to do something legally, since I'm a customer and I'm not getting my service, right? (And my identity is tied to my credit card, so it can be verified easily).<p>I'm probably too naive but I can't think anything better. I'd gladly pay some money just to avoid this scenario.
I had nearly this exact thing! The backup email wasn’t working. My mom was able to leverage an existing session on thunderbird to access her emails. Her SMS auth was failing as she’d change numbers. She managed to convince a phone provider to give her the old number so she could successfully authenticate.<p>Still mad about the lack of ability to provide proof of ownership, we had ample evidence which would have held up in court if required. But alas, google are worried about their immediate bottom line instead of their long term viability.
When you enable 2FA, you are given 10 backup codes for that specific reason and it tells you to print/save them, but everyone just ignores it - do it now.<p>You can also add multiple phone numbers, I got two just in case I loose one for some reason. Like if I loose my mobile, I'd need to sign in to google to locate it and I can use another number (my wife) to get 2FA code. And I have authy with my google 2FA by default, you can have multiple devices as well.
Wait a few days. It may be possible at a later date.<p>I'm not storing cookies when using GMail and at a time I regularly got those suspicious login type messages when the browser updated to a new version. At one point I had to click a link in the recovery email and enter the month when the account was created. Pretty much guessed several times until nothing worked. Tried again a day or a few later and got in again.
I’ve been planning to migrate off Gmail, and stories like these are increasing my sense of urgency about it. Google shows such callous, reckless disregard for its users’ lives. I feel kind of stupid for trusting Google with this much power in the first place!
It's too late now, but this should be a lesson to anyone to always cultivate the MFA methods in their accounts: review them on a regular basis, remove methods that aren't secure or safe, and always, always print out those emergency codes on a sheet of paper and store it safely away, offsite if possible. If your mom had printed out paper codes, then she'd have recourse to a sure recovery method at this point.<p>Also worth a try is to pay for Google One. Rumor on the streets says that paid members have a better chance at bending the ear of a human customer service representative. It may be worth the extra few bucks per year.
Reminder to set up automatic email forwarding of all your gmail to a secondary address. I recommend Protonmail. Also schedule Google Takeout to regular intervals.
If you are geeky/nerdy just remove phone number and add QR code based 2FA. Print that QR code and scan it on your phone (as a courtesy to your mum). Yes, victim blaming but better to do this as a help rather then hosting your email service for your mum.
I have a gmail account I never enabled 2fa on, or set up a recovery email. However, it had an old phone number I haven't used in >8 years.<p>2 years ago, I tried logging into the account, and google told me I needed to verify an SMS message due to logging in from a new location (I had logged into this account from Canada before).<p>I tried calling the old phone number, but it's disconnected. So unless I want to move back to the U.S. to try to get that same phone number again, I probably won't be able to access this account until someone gets that phone number, and I manage to talk them into passing along the authentication message
For those that have a new phone number or have changed their number - sometimes you might have your old phone number in your payment profile (or something along those lines). That number might still be used by Google even when you change your number. So you can end up in a situation where you update your recovery phone number, but that old number still shows up. It took me some time at a point to get rid of this one to ensure that it works.<p>Also, 2FA will still trigger even when you turn it off. I had turned off 2FA because I don't care about this account and because I kept having issues with it due to the countries I lived in over the years. I logged into a machine that got a fresh install and got prompted to go through 2FA and get a text. But this was turned off.<p>So I'm sorry to hear about this, it's a real big issue and I ask everyone here who cares about privacy and who cares about a better tech environment to push their friends and family or followers to move towards more privacy respecting alternatives that HAVE support, that WILL assist you if something like this happens. Even in a worst case scenario (all emails being lost), getting back access to the account itself can make a huge difference... So please, support those who hit on issues if you can somehow and promote alternatives for those who can afford them (and most people in the west will generally be able to afford the 1USD/1GBP/1EUR a month some services will charge).
Similar with Yahoo recently - had an almost 20 year old account, and suddenly it wants verification on a long gone phone number. Good that the account was used mostly for various registrations and non-critical communications. Still a lot of history and context de-facto gone. A kind of personal mini-Alexandria library fire :)<p>Similar situation with Hotmail went better - as the phone number was gone, the system offered an alternative - i had to provide previous passwords, recent emails recipients and subjects.
An idea would be to have more than one account on different providers and have all their emails forwarded to each other, but make sure the forwarded emails arent forwarded again.<p>Might go do this now.
This is happening to me with facebook, without 2fa. I temporarily disabled my account for a couple years as they promised you could log back in at any point to restore it. fast forward to today and even though i have the same email and password combo they are stuck in a loop asking me for my passport/state id, which i’ve provided dozens of times at this point.<p>sucks because i have a bunch of memories locked in that account and can’t contact a human at FB.
This happened to me. I had the password, same recovery email, but phone number was one I no longer had access to.<p>Turns out it was a IP location issue. When I traveled back to the same city I created it, I never got the 2nd challenge. The password was enough. I could then update the phone number.<p>It's really nuts. I mean, if you know 2 out of 3 security challenges (password, recovery email, but not phone) suddenly that's enough to lock you out?
Google login is getting worse and worse.<p>My son school gives them a google login. I can login on a PC. But on Android you can't login with Chrome because there can be only one google account linked to a device. When I try to login with Firefox (even with the correct password), it says that they can't verify it's me and that I should contact the domain admin.
Google could have logic to prevent exactly this case...<p>Have the security requirements for entry to the account reduce after a timeout and notification period.<p>Eg: Since we haven't been able to verify your access to this account, we have 1 final option for you. Click this button to begin the recovery procedure:<p>* We will message anyone currently logged in to ask if they want to allow or deny you access. If you are logged in from another device, you can allow access there.<p>* If there is no response in 7 days, we will message the recovery email addresses and phone numbers to ask the same.<p>* If there is no response in 7 further days, we will message the 10 most recently emailed email addresses from the gmail inbox to ask if you should be allowed in. The message will contain your name, and request the recipients contact you and give you a code you can use to unlock your account.<p>The process still has the problem that scammers will farm discarded/temporary gmail addresses. Dead peoples addresses might easily be taken over too...
As a long-time Fastmail user, I'm curious if anyone has ever recovered their account and how it compares to Google?<p>More generally, can you get someone on the phone? I can't see a phone number in the Contact Us section of their site.<p>EDIT: I also checked their most expensive plans ($90/user/year), and it doesn't have different support options.
I've recently been transitioning over to paid email (I chose fastmail, it's great, but there are many others) for pretty much exactly this reason. Free users are just useless eaters to big companies. Fine when it works, shit out of luck if anything goes wrong. I had a near miss with an old phone number - it worked out in the end but I was left with no illusions about my total lack of recourse if it hadn't.<p>Turns out, when I asked myself the question "is my email worth $50/year?" the answer was "yes".<p>It's been a hassle, not gonna lie, and I may never fully get everything transitioned - but it's an important service, and if it's important I want a prompt and easy resolution to any problems. That costs money. Why did we ever think free email was a good idea?
If she lives in Europe or California could she not make a request on all the personal information that google holds on her? That would at least get her the emails back, not likely to get her access to linked accounts though.
Hmm, yes, that's actually the exact behavior that I expect from 2FA. To not let people in my account without the code.<p>I fully sympathize and understand that the outcome is bad, but this is just a system working 100% as expected.
Thanks for reminding me to open up thunderbird and get it up to date with my google email.<p>It would be bad to be cut off, for all the reasons you have given in the intro, but it would be even worse to lose all my mail as well.
It happened to me a few days ago, after a reboot of my internet box. I suspect the box IP changed, but didn't check.
I didn't have recovery email, and I managed to recover my account by googling sth like "gmail set recovery email" (=> <a href="https://myaccount.google.com/intro/recovery/email" rel="nofollow">https://myaccount.google.com/intro/recovery/email</a>). There I could login after having answered the 'secret question', and this gave me back my access to gmail.
I upvoted this post so hopefully it stays long enough on the front page for someone at Google to see it and do something about it.<p>It's the only thing I can do to help, I'm sorry for your mum.<p>I've said it before, Google cannot be trusted with anything important. They don't care about their users because the users (info) are a product they sell to their actual customers. There's no incentives for Google to provide their cashcow something like customer support, because the user is not a customer.
2FA is becoming a huge problem.<p>One day, I unintentionally left my phone home. At work I was unable to log into my Google account without my phone.<p>What a clusterf**k.<p>(And I never opted for 2FA. It was forced on me by Google).
Lessons from this situation:<p>1. Prefer an email provider with human support - which probably means paying money; otherwise, choose a free email provider with a better record on these matters than Google/Alphabet.<p>If you do use Google:<p>2. Prefer independent sign-in on websites which offer signing in with a Google account.<p>3. Periodically back up your email someplace that's not Google, preferable on your own HDD and with a copy on removable media.
Hey Harsh,<p>Sorry to see this (after reading on On Deck) and here is how I would try. No guarantee but an idea. Add your mom to Google One Family plan (buy for one month, you don't have it).<p>Now, the support on Google One is quick and are actual people. I was extremely surprised by this and asked quite a few time if they are real people (they are). Try talking to them and see if that works.
Have you tried account recovery? <a href="https://accounts.google.com/signin/recovery" rel="nofollow">https://accounts.google.com/signin/recovery</a><p><a href="https://support.google.com/accounts/answer/7299973?hl=en" rel="nofollow">https://support.google.com/accounts/answer/7299973?hl=en</a>
My mom has two numbers for 2FA SMS on Google, one is hers and one is mine. I’d highly recommend anyone in any situation that involves phone numbers for 2FA to never only use one. If that’s not feasible, use one of the other “phone independent” options (like recovery codes on paper).
Human support can be social-engineered or bribed. You hear about SIM jacking, OG Instagram account takeover, etc. because of human support.<p>It certainly sucks, but in this case you lost your second factor, which is very different from the other flagged-as-suspicious-and-locked-out-permanently cases.
I have that looming above me.
I lost access to the 2FA phone number a year ago. Google puts me in a login authentication loop when I try to change the phone number, even after logging in to the account.<p>My previous phone provider deleted my number. They only told me by SMS, which I never received, because I kept the phone off. I used it on only for restoring accounts.<p>Now I wait for the inevitable to happen. I use Protonmail. And I will lose access to GMail eventually. Then it’s time to GDPR the shit out of them.
I wonder if it's practical to set up email forwarding to backup account so you can at least get password resets from other services that use your email address. Is it common to have a Google login on another site, then password reset to 'de-google' it?
I have the same issue / I guessed it was hacked and taken by some other, luckily I got it isolated from all my logins and i made a new account !
Can’t help but wonder who has it, also cannot comment on how unhelpful google are in resetting the access!
You're probably fucked. I still have a bricked phone from the onboarding process there. Somebody has had an open ticket to fix it the last few years.<p>I was able to get my W2 by showing up at the Googleplex. They seemed knowledgeable and friendly. Is a day-trip an option?
I got the same problem on a couple of Google accounts.<p>The only pitfall advice from Google was to try to log in from an old machine or a previous location. This has never worked, and accounts are lost as there is no way to be in contact with a human to assist.
I got locked out once with very little hope of recovering my account (hit the password guess limit or something) but luckily I was still logged in on my old laptop so could change the settings enough to get in again.
If she is still logged in somewhere, on a laptop, desktop, phone, whatever, then she can go and remove 2FA (no, you don't need the 2FA code to remove 2FA - or at least you didn't ~1 month ago).
The main problem is that Google asks you for a recovery email address and then won't actually let you use it for recovery.
This gives a false sense of security and creates a lot of gotchas.
Very sad this happened to you.<p>To everybody else reading this: Get your own domain, get an email through it on fastmail, migrate all your accounts to it.<p>It will happen to you!
If I ever leak my Google password, the last thing I would want is for someone to bypass the 2FA on it. So I certainly hope that there would be no way around it.