Anyone has any idea how to recover it other than.... find other number? I've used my father's and mother's number. However, it seems all number have been flagged as "cannot be used for verification". Any other ways to login?
This phone verification shit is so awful. I have two friends who moved overseas and disconnected their cellphone plans without thinking about their MFA situation.
Today I have to enforce MFA at the small company I'm working at, and just a month prior I held a cybersecurity seminar for them and explained that "phone MFA is… okay… but you should really use verification apps." But I didn't realize that you can't even enable authenticator-app-MFA with Google without doing it through a phone first… just infuriating.
So I have used Authy, which apparently is somehow protocol compatible with Google Authenticator, and you can back up your tokens with a password. I got a new phone, installed the app, entered the password, and all my tokens were there.
I've moved from using Authy to Aegis Authenticator [0], it's open source and allows you to export an (optionally encrypted) backup of your OTP secrets offline. I trust that more than a cloud backup. Plus you can more easily migrate if Aegis ever goes unmaintained.
TOTP ("Time-based One-Time Password") isn't exactly a "protocol", just a big random number as a pre-shared key plus a method for hashing that with the current time to produce a six-digit number. Whatever you're authenticating to does the same computation with the key and, if the result you provide matches the one it got, it knows you have the same key it does.
SMS 2FA is a different proposition, in that the authentication provider sends you the intended response directly. This is a little easier for nontechnical users in that it doesn't require an app that can compute TOTP responses, but it's markedly less secure in that anyone receiving or intercepting the SMS can immediately respond to the challenge, and less resilient in that you can't authenticate at all if you don't receive the SMS - which is the failure mode under discussion here.
use aegis or keepassXC/Keepassium/Keepass2Android. These apps allow to keep (backups of) your (T)OTP secrets offline and don't require additional PII info to set up.
The problem is that one has to enable phone MFA before they can enable Authy/other-app MFA. I have no idea why, only theory I can come up with is the value of tying accounts to outside marketing databases using phone numbers as IDs.
Which is still strongly preferable to getting locked out of everything because Google Authenticator refuses to participate in device backups. Lucky for me I found out about that well before I moved to "2FA wherever possible", but I still had to send some vendors scans of my driver's license to get back into my accounts with them.
Maybe they've fixed that since then, but I don't care. I'd rather risk a theoretical flaw in Authy's E2EE than risk getting screwed again, and by now much more thoroughly, by the flaw I know about in Google Authenticator.
Ha. Happens to be there is a script out there somewhere which allows you to extract the private key of any of your MFA codes from Authy through Chrome DevTools (it's an Electron app) so you can use it in whichever MFA solution you want.
I moved across the country a few years ago, and just a few months ago got a new phone on a new carrier. For a brief moment, I considered getting a new number. No more spam texts and calls (or at least different ones)? Having an area code matching where I lived? Seemed like positives, and it'd take me about 10 minutes to email or text my new number to the relevant parties.
I hadn't considered MFA because I use Authenticator and have most of my TOTP seeds in 1Password anyway, but man I'm thinking I dodged a bullet because there are a handful of things that use SMS only.
I just bought a prepaid card only for this - Google, Facebook, Twitter, Instagram. I don't use it for anything else. I took it out and hope to remember to top it up for another year to keep it in service. It's so stupid.
I once changed my Gmail password and promptly forgot it. When I was trying to recover it, I had no MFA set up (I had a yubikey, but somehow that wasn't allowed???), so the only option left for me was to provide them with the month and year I created the account. Since it was roughly a 10 year old account, I had no idea what those numbers were. There was also no way to reach out to an actual human for help through their account recovery workflow. I ended up creating a Twitter bot that would tweet at one or two of the handles owned by Google, once a day. After about a week, I had someone reach out, and I was finally able to prove that I actually owned the account and recover it. It was definitely a stressful time.
It could be because I wasn't spamming them with tweets i.e. I only sent them about 14 tweets total between their two handles over the course of a week, but I can see how they might've blocked someone else doing the same.
> Also, would this be affected by the latest changes at Twitter?
Sorry, I'm not familiar with those changes, so I'm not sure.
I lost my work Gmail account several years ago due to this and vowed never to go back to Google.
It was a slow decay, though, where over the course of a few months I just became less and less able to log in. (Unfortunately when I could log in, I couldn't do anything to change my recovery phone number to one I actually had access to because that triggered another verification round that I could not pass because I didn't have access to the old phone number.)
The best advice I can offer is to try find an old device that you once logged in from and you haven't upgraded or cleared cookies or anything. Then try to go back to the same country, city and ISP you used where it worked. Do not log in from public wifi! Make sure all your OS-level language, time zone and region settings are the exact same as they were last time you were successful too. If you are lucky you may be able to get in without a phone number and back up your data somewhere else.
What worked for me was to try it again from an IP I had logged in with before. For some reason it causes Gmail to not ask for a phone number verification.
Once logged in I could change the phone number.
Really stupid way to do it. No reason to lock someone out with the right password.
A better alternative would be to show partial digits of an old number and ask you to complete it.
Yes, I solved it the same way (I no longer had access to my old phone number) and promptly setup google authenticator (well actually stored the totp string in 1password) and got backup codes.
I'm lucky that I have a server in the US that I regularly use as a VPN so I could try again from a known ip.
i have a gmail account I haven’t accessed in many months.
In that time I’ve updated my hardware.
Now google says “we don’t recognize this device” and won’t let me log in.
I have a backup email configured and gmail actually sends a note to that backup email saying someone has my password for the other account. But won’t let me use that backup email to verify the login on the old email address.
Fear of this is one reason I moved all my critical accounts away from Gmail. Conceptually it is good but lack of recourse to recover isn't acceptable whatsoever.
The 'try another way' works perfectly fine and i can use my authenticator app of choice to login. But why Google insists on using the YouTube app on my smartphone as the first method of verification baffles me. Can't disable it or put authenticator method as preferred method as well.
> Anyone has any idea how to recover it other than.... find other number?
The longer you've been locked out, the more confidence Google will have that it's really you trying to log in. That said, the system is really dumb. I have a friend who just got locked out of her account for multiple days because she had a Google phone number, and so of course Google wouldn't let her log into her account to retrieve the text they were trying to send her. Now obviously if she had purposely enabled 2FA using this number then that would have been a mistake, but it's less obvious that one day they would just randomly decide to enable it for her using a phone number that obviously would not work.
Their 2FA is awfully annoying. I’ve seen they basically require you to have YouTube installed as well in order to verify it’s you (why would I need that if I already have you password + code)?
Can we please ban these sorts of posts? This isn't news. People's news feeds are not the place for individual tech support problems. Take it to the Google community forum.
Please don't complain that a submission is inappropriate. If a story is spam or off-topic, flag it. Don't feed egregious comments by replying; flag them instead. If you flag, please don't also comment that you did.
Pretty much any "Tell HN" is just someone complaining about something that the vasty majority of HN isn't affected by, can't do anything about, and doesn't care about.
Recently had a close call where my phone screen was dead (no display, no blind touch input either) and I was away from home where I did just happen to have an old android tablet that was "known" to google.
It was not as bad as that guy that Google totally F'd because of the pictures of his kid's genitals that his doctor requested, where he had a google fi phone and gmail email etc. He had no ways around at all. But still scary enough.
I almost couldn't even just buy a new phone to regain access to txt, because Ting web site forces you to enable 2fa, and I had it using google authenticator on the same phone.
So I couldn't receive txt verification codes, couldn't respond to google's "yes it's me" thing, couldn't use my authenticator app to access my account on Ting to move my number to another device so I could receive txts...
Luckily, I HAD saved the recovery codes from Ting and I had those in my keepass db which I have many ways to access, so I was able to use that to get in to the Ting acct if I needed to move the number to a new device. (plus I just now remembered this phone has a removable sim card so maybe I could have moved the number that way, but what if the phone had been esim?)
In the end, I was able to get the screen replaced at a local shop without resetting the phone, so I regained access to the pre-existing Authenticator install, and regained ability to repond to google's "yes it's me" on the previously recognized device.
And if the phone had been unrepairable, I would have been able to move my number to a new device and eventually recover everything else by txt because I did have a way to get into my Ting acct.
I had a lot of non-critical things registered with a gmail acct for convenience, but the important things I use a mix of other emails with gmail also as a backup, but a few of the most important things were using google authenticator and I didn't have a 2nd authenticator app up & running on any other device, and didn't know about exporting the original seed when I first set it up so I couldn't just fire up some other new device and install an auth app and start using it.
I DID have single-use recovery codes for some sites saved in my keepass db, but not all.
So after this wake-up call, I was able to use my old phone to get into everything and re-do the 2fa on everything.
I found I could use Gnome Authenticator app on my laptop, and export the seed tokens and save a json text blob in my keepass, and verified that I can take a brand new laptop, install keepassxc and gnome authenticator, import that json, and successfully use the brand new machine to access the 2fa-protected sites without needing my existing phone or laptop, and without needing access to any google acct. I do have gmail as a backup email for things where protonmail or something else is the primary.
I also keep the single-use emergency codes for each individual site in keepass as well as printed just because "why not?" though I really don't imagine the print copies ever being used.
So all I need is access to any copy of my keepass db (which I can scatter around at will and can access any number of ways, thumb drives, home nas, google drive, random vps, copies on devices, etc, so I do NOT need access to a google drive or onedrive etc to retrieve it) And everything else can be reconstructed from new downloads of all purely open source software and the keepass db password.
But what struck me is how it's really up to the user to deviate from the easy path and go way out of their way to be safe. They are not safe by default if they just do what google says all along the way. By default, google will happily make themselves a single point of failure for your entire life, which is easily tripped and provides no channels for correcting errors.
On-line-only banking/investing accts with no local physical office are particularly scary, when they do not know you any other way than by your login. You can't go down to the office and show the manager your birth certificate or passport or drivers license or idk thumbprint? etc. That's your life savimgs, your house, everything, all hanging by something that is easily broken and impossible to fix.
Edit: Now that I have your attention:
PSA: Go create "Backup codes" for your Google Account in your 2-Step Verification settings.
[1]: https://support.google.com/accounts/troubleshooter/2402620?h...
[2]: https://support.google.com/accounts/answer/7682439
[3]: https://support.google.com/accounts/answer/7299973