Google removed my Yubikeys from a Google account 'just to be safe'

&gt; Removing physical U2F keys from an account without request seems to be the worst possible reaction to suspicious activity.<p>Exactly, unless they were added during the suspicious activity. But this seems to be not the case.<p>I work in cybersecurity and I&#x27;ve seen hackers setting up PINs etc on hijacked Whatsapp accounts just to make it harder for the legit owner to recover it. So if it was a really recent addition it might make sense. If the Yubikey was there for ages it&#x27;s a really stupid move because it&#x27;s the one way the real owner can prove themselves.

Articles like these (which can generally be grouped under the &quot;what the hell is Google doing with my account and my data, and why can&#x27;t I reach out to a human to get out of this Kafkaesque nightmare?&quot;) are popping on HN on a daily basis.<p>I&#x27;ve previously been reported for commenting on a previous article that Google is a faceless company that produces shitty products and it doesn&#x27;t actually doesn&#x27;t give a shit of user experience, negative feedback nor deleting&#x2F;locking accounts (and, often, years of work) for no clear reasons.<p>Somebody responded &quot;on HN we often hear only one side of the story (people getting a negative experience with Google) and not Google&#x27;s side&quot;.<p>So, since many Google employees are also here on HN, I ask you folks: do you have any words to say in defense of these crappy policies?<p>If yes, then I&#x27;m happy to change my mind about Google, and eat back all the countless offenses I&#x27;ve thrown at the company over the years if convinced by enough plausible arguments.<p>If no Google employees can come here (or, even better, directly reach out to those impacted by their bad decisions) and defend their policies, then I abide to my words: Google is a shitty company that produces shitty products, it is proud of being a faceless company that doesn&#x27;t care about supporting users (even though it makes a lot of money out of their data), it makes horrible business decisions, and it leaves people in the dark when locked out of their accounts. Such companies, in a healthy market with enough competition, deserve to rot and fail and be mourned by nobody.

Google generally does stuff like that when they believe somebody else had access to your account and made changes. This sometimes involves the attacker enrolling for (their own) 2FA or changing recovery methods to lock you out. So, the action of removing 2FA is in itself not unreasonable.<p>It&#x27;s possible that their logic has some sort of a bug, especially if it only happens when you visit a specific service - and in that case, getting on HN might be the best way to get it looked at by a human... but also make sure you don&#x27;t have any other issues going on.

Google&#x27;s implementation does not seem to be doing much good anyway. To be fair, it is not just Google -- most companies feel the same pressure of having to implement MFA but then also make it convenient for clueless users to recover their access.<p>The right way to implement hardware keys is to allow registering multiple of them (so that you can put at least one or two off-site -- in a secure storage) and then not let you recover the access under any circumstances without showing you still own at least one of those keys.<p>If you can recover access without the keys then what is the point of keys in the first place?

Google have locked my account after I travelled to US. After that day, I have never used Google. Currently, there is no way to access the account.<p>Thank you Google for making my account &quot;Safe&quot;.

Hi HN. I posted this here because it seems to be the best way to get someone at google to look at something.<p>To preempt some comments along the lines of &quot;why are you relying on google in 20xx&quot;, I try my best not to these days but I still rely on them to forward emails from my old accounts, or for services like youtube where you must have a google account for full features.

This &#x27;just to be safe&#x27; procedure happens when Google thinks a bad guy is logged into your account. The bad guy might have changed the password, changed the 2fa, stolen login cookies or other malicious things.<p>What Google ought to do is to display a message saying:<p>* Google suspects someone else, or a virus, has access to your account with malicious intent.<p>* Google will help you secure your account.<p>* It is necessary to prove you are the legitimate account owner before we can allow you access to the account. To do this, we will ask for you to log into the account with as many possible devices and methods as possible. Into each device you should type &#x27;7867&#x27; after logging in.<p>* We ask this because a malicious actor or virus probably will only have control of a few of your devices, passwords or security keys, so we can identify you as the true account holder because you have more.<p>* We will then lock out the malicious actor, and you can change any passwords or security keys they used. If one of your devices was used by a virus, we&#x27;ll block it until you have reset it.

I had a similar experience recently when setting up a new TCF TV for my mother. I didn’t see a “was this you?” email to her Gmail account after logging her in to Android TV, and within hours her password had been invalidated by Google. The message when trying to log in at gmail.com was “Your password has been changed in the last week”, which caused me great concern and an hour or so changing passwords, etc. If the message had said “Google invalidated your password” I’d still have been pissed, but at least not panicked.

Related, but different, &amp; if there&#x27;s someone at Google looking at this:<p>There was a Titan Bluetooth Key (for 2FA) Vulnerability, you&#x27;ve said you&#x27;ll replace the affected keys[1], but you&#x27;re no longer doing so. Which is frustrating.<p>[1] <a href="https:&#x2F;&#x2F;security.googleblog.com&#x2F;2019&#x2F;05&#x2F;titan-keys-update.html" rel="nofollow">https:&#x2F;&#x2F;security.googleblog.com&#x2F;2019&#x2F;05&#x2F;titan-keys-update.ht...</a>

February this year I migrated my Mojang (Minecraft) account to a Microsoft Account, which I created solely for this use. I played a bit on a local world with just myself. The account had a unique, secure password and was secured with TOTP 2FA when I set it up.<p>I recently tried to play the game again but was told I had to login again. Doing so locked my account because it had been used in ways which violated Microsoft&#x27;s ToS: hacking, phishing or scamming other users. They demanded my telephone number before they&#x27;d allow me to use it again.<p>I basically consider this account and the game lost now. I didn&#x27;t buy this game when it was owned by Microsoft, but will never buy anything from Microsoft which requires me to have an account with them ever again.

Personally, just to be safe I have ceased to use many &quot;big name&quot; services, preferring for instance to have my mails locally, paying a service (not that much) with a hotline... My personal policy is: if I can&#x27;t phone them, if I have no local registered office to contact in case of need, if I do not have my data locally in usable forms, that&#x27;s means is not safe for me going with them.

I noticed recently I couldn&#x27;t use my 2FA key to get in to Google, but I never got a notification about it. Don&#x27;t know when it was removed or why but was annoying getting back in (especially as text verification was a disabled option for some reason), and then setting it back up again.

Great so when something like the recent LastPass leak happens and I go in and cycle my password, 2fa and backup codes out of simple precaution Google is going to perhaps mark that all as suspicious and undo it for anyone who might come along and pretend to have lost access to my account?

I think Google needs to add a better way to secure old &#x2F; previously inactive accounts. My guess is because your account was old, and your current device, IP and overall fingerprint was different it decided you were an intruder.

We need a general solution to reestablishing authentication.<p>The hard-line solution would be that you go to a post office, airport, police station, motor vehicle office, passport office, or bank, they take your fingerprints, picture, and a retinal scan, you get a new ID card and token, and your old ones are invalidated.<p>The US just pushed the date for REAL ID enforcement further out, again. This time from spring 2023 to 2025.[1] REAL ID terrifies illegal aliens. Once everyone legal in the US has one, getting a job or traveling will be much harder.<p>[1] <a href="https:&#x2F;&#x2F;www.cnn.com&#x2F;travel&#x2F;article&#x2F;dhs-real-id-deadline-extended&#x2F;index.html" rel="nofollow">https:&#x2F;&#x2F;www.cnn.com&#x2F;travel&#x2F;article&#x2F;dhs-real-id-deadline-exte...</a>

google has some of the most inane &#x27;security&#x27; measures. one thing it completely doesn&#x27;t understand is VPNs (despite offering a vpn service itself), failing your login every time you try to enter from a different &quot;location&quot;. (despite the device&#x2F;browser matching, or whatever else there might be.) and &quot;verification option&quot; that is offered is a phone number code, which is offered anyway, even when there&#x27;s no phone number saved on the account. how is that supposed to work and &#x27;verify&#x27; anything (what, can someone having credentials just enter any random phone number to &#x27;verify&#x27; and get in?), is unbeknownst to me. it also uses &#x27;additional email address&#x27; as a &#x27;verification method&#x27; (you could send a code there, or just enter that address), but then again, i don&#x27;t see how really &#x27;protective&#x27; that is, particularly when somebody could just enter anything there. truly, what is the point in that charade, over a regular password. the other thing is how it will not let you add 2fa without setting a phone prompt or phone number first. that is just idiotic. it will refuse to give you this way of security (while it may not be all that great, at least it&#x27;s definitely something), and pester you for extra emails and numbers. the way that google will seemingly refuse to trust passwords for what they are is just wild and annoying to me.<p>and it seems like it has &#x27;ramped up&#x27; its paranoia recently, cause just in the last week, I got forced to change a password on one account over &#x27;suspicious login&#x27; (me logging in through the same browser over vpn, and this is while the account has 2fa on), and got a &quot;critical security alert&quot; over a log in from a new browser. &quot;Suspicious attempt to sign in with your password&quot;. Yeah, that&#x27;s just me, google.

Google twice removed my password from my Google account... i.e.: I could not login even with the correct password.

Were you using a VPN or something? I’m curious if this was tripped by setting off impossible-travel flags or something. It seems plausible that this is just anti-account takeover logic working as-expected, but with a false positive alert.

》As google has no support channels I can use, my only recourse is to write this blog post and hope someone sees it.<p>By 2030 we will need to build a social network with at least 10k users to get some attention from the Gooverlords.

They probably asked you for your phone number at the same time....

found a similar error message happening to someone else a year ago with few recourse options: <a href="https:&#x2F;&#x2F;support.google.com&#x2F;accounts&#x2F;thread&#x2F;103488375&#x2F;google-could-not-verify-your-gmail-account?hl=en" rel="nofollow">https:&#x2F;&#x2F;support.google.com&#x2F;accounts&#x2F;thread&#x2F;103488375&#x2F;google-...</a>

Reading stories like these, I’m glad I don’t even have a Google account.

Sad story, it is the same with all the newfangled companies: you are a product, not a customer

Tangent: Instagram managed to lock me out of their service for a week or so a couple of days ago. My browser was signed in into my account, but I have not used it for like a month.<p>Got logged out. I log back in (using 2FA btw). &quot;Please give us your phone number so we can verify it&#x27;s you&quot; I enter my phone number. I don&#x27;t really get the point of this because they did not have my number before, so what are they actually verifying here? Anyway, I trust Facebook with my phone number lol. I get a code, I enter it. &quot;Your account activity is suspicious and we will limit your account for a bit&quot; That was it. No redirect, no link to click, nothing. So I go back to instagram[.]com and have to do the same thing again?<p>Well maybe my browser is on a block list now or sth. So I go to my phone (where I was signed in). And the App is broken completely, looks like the session was invalidated.<p>I log out, log back in, do 2FA, enter the code again. Same result.<p>I checked back in a couple of days ago and it seems like I have access again.<p>It is unfathomable how this can happen. How can the front gate to your multi billion service just not work to the point where you DOS yourself?<p>Also this account has 0 images, and just a couple of followers, so there is literally nothing to protect.<p>In moments like these you really start to notice the missing communication channels to the big tech companies. Is there any other industry that has zero customer support?

Google support bot requires HN Google account nightmare stories to reach 1000 points or be posted by paulg before they are addressed.<p>(FWIW I addes YUbikeys to 2 old long-term Google accounts about 6 months ago and they are still there. I did do this from the home location I usually use Google from, though.)