Comment by ValentineC
8 hours ago
> Using a Google Workspace Super Admin account for your non-admin day to day needs is similar to using your AWS root account instead of IAM users.
It sounds like the mistake here is not appointing another Super Admin, and making sure they don't use their account for day to day needs. Or just having two Super Admin accounts controlled by the same person, heh.
I can't see how not using one's Super Admin account wouldn't prevent tripping some kind of fraud lockout that's impossible to recover from.
Randomly, I just remembered that I lost a GCP account because I tried logging in from Laos, and they asked me for the front and back photos of a payment card that I used ages ago that I didn't bother making scans of before it was lost. Urgh.
Make a primary super admin (admin@ whatever) and only log into it for admin purposes. Make an actual user (you@) for day to day line of business work. This has the benefit of making some categories of spear phishing and xsrf attacks harder if the account that gets compromised doesn't have root.
That's what I've been doing.
It doesn't address this thread's concern that a single Super Admin could be locked out with no recourse, since Google's customer support is horrendously bad.