Comment by Jimmc414
8 hours ago
Google needs to understand that watching this nightmare scenario play out over and over again is actively destroying trust in their platform. When your email, authentication, documents, payroll, and CRM all flow through a single provider and that provider can lock you out overnight with no meaningful recourse, you’ve invited customers to place their entire digital presence into a house of cards. The fact that this same story surfaces almost daily should be a wake up call to existing and prospective customers. Every unresolved lockout is one more reason to start planning an exit. Google has led the effort to lower the bar so much that it’s commonplace and somehow acceptable to ghost paying customers who youve locked out or even worse bounce them through a gauntlet of AI chat bots with the illusion that you are even aware of the damage you’ve caused.
Yeah, loss of a google account in certain cases can destroy entire small businesses and there's no recourse. In the old world we had extremely deep bodies of case law around utilities and commercial leases and road access, insurance and all kinds of things to make business operation legally predictable, but for the digital equivalent it's still the wild west and everyone just throws up their hands like its unavoidable.
Imagine being homeless, and your Gmail account is your online identity for what little financial presence you have, and how in the world can you recover from its loss?
On the surface it seems like it would be a good idea for all these users who were suspended to do a mass arbitration like what happened to Uber to get them to start taking it seriously, this comes up like monthly people getting account pulled up from under them and impacting business. Maybe there a legal differences or something https://www.mbelr.org/mass-arbitration-how-ubers-own-alterna...
I don’t disagree, but the reality is SaaS is the model that most companies depend on and these risks exist everywhere.
If your business is dependent on services you need to take a modicum of effort to protect yourself - the posts author was literally walking around with his entire business at risk from him dropping his phone or having it pickpocketed.
At the end of the day, the protagonist in this story is mad because Google won’t allow him to social engineer access to his company. He deleted his sole token (Google makes it trivial to add many) in the most fraud signally way possible.
> He deleted his sole token (Google makes it trivial to add many) in the most fraud signally way possible.
Are we reading the same blog post? He had his password, 2FA authenticator set up, and backup codes -- everything Google asks you to have to be on the "golden" auth path.
He only deleted his SMS authentication path (one thing I don't understand is how he was able to do this in the first place without being logged in), which is in any case the least secure method of 2FA. Also, It should be fairly obvious that SMS is not expected to work seamlessly while traveling, how is this not a scenario that's hit by millions of Google users worldwide?
We’re hearing one side of the story from a frustrated user recounting a borderline traumatic and stressful event.
The SMS only fallback is when other things have failed and they suspect that there’s been a takeover. Microsoft does something similar to tie it to some tangible thing. I’m not excusing Google. Their exception handling is poor at best. I’ve seen issues at customers where phones left in flight get flagged because of GPS disruptions due to Middle East conflicts, for example. (Phones flagged as having been in Syria or Russia can be kryptonite) One scenario was a VIP whose kid was in Europe with their other parent and the VIP’s tablet, signed into work email.
Other factors apply too - there may be multiple accounts tied to the number that are in different locales, for example. No idea what obnoxious rules Australia and UK add as well.
Point is, this type of shit happens and you should have a contingency.
1 reply →