← Back to context

Comment by wl

1 day ago

I have the same issue. At the time I created the account that I'm locked out of, Google said nothing about these "recovery" email addresses as 2FA. Years passed without any notice that maybe they were going to lock me out of an account I have the password for. No notice that I had better have access to that "recovery" email address that I hadn't bothered to keep up to date because I never thought I'd need to "recover" the account from Google. (In my case, it's an old .edu email address that I was promised "for life".)

If Google wanted to lock me out of my account for my own good until I enabled 2FA, fine. But as GP stated, they abused the recovery email addresses to force 2FA on people and ended up locking some people out of their accounts.

5 comments

wl

Reply
dataflow  21 hours ago

> No notice that I had better have access to that "recovery" email address that I hadn't bothered to keep up to date

The rest of your complaints make sense but this one is bizarre. It's a recovery email, isn't having access to it the entire point? Like what else did you think it was supposed to be there for beside being accessible?

Google clearly misused it for something else, and you have a strong argument they shouldn't have. This one sentence just needlessly weakens the argument.

  • cwillu  20 hours ago

    The point is that an or relationship was silently converted into an and relationship, which is a _very_ different relationship between two factors.

  • wl  16 hours ago

    I never expected to need to recover the account because I used a strong password stored in a password manager that I had adequately secured and backed up.

    • simoncion  12 hours ago

      Exactly.

      It was pretty sobering when Google demonstrated to me a new and novel way that made them the actual threat to my account security. I thought that by carefully refusing to publish anything with their add-ons (YouTube, Docs, Android Store, etc, etc) that I'd avoid getting swept up in an autoomated account-wide bannination, but, nope. A perfectly ordinary login to the account I'd had for years from the exact same location and IP address I'd used the day before was "suspicious" and required "recovery".