Google could put a toggle in Google Account settings titled something like "Allow anyone who knows my password to log in to my Google account (less secure)." It could sit above a description of the risks involved. It would need to be disabled by default, and it wouldn't help users who don't know about it. It certainly would not fix homelessness in society. But it would do a lot of good for a lot of people!
Would this option lead to some increased number of hacked accounts? Probably, but these would be accounts that explicitly opted in to that risk! I think it's excessively paternalistic to not provide the option. Every life situation is unique, and people know their own lives better than Google does.
The solution is to use one that is. Why are case workers directing the homeless to setup gmail accounts? Because they haven't been provided with a better solution by the system they work within.
So its the government's problem to fix. They are the ones handing out phones and setting the expectation to communicate through email. So they can either design an email service themselves that fits their needs. Or they can work with an industry partner, such as google or someone else to provide the service.
Normal gmail is a one size fits all commodity solution. It works well enough for most people, most of the time. Specialized problems call for specialized solutions. Complaining that google didn't think of you is misplaced.
Also, if I was homeless, I wouldn't want my email address to indicate I was homeless.
I broadly agree that it isn't Google's job to cater to everyone, but in this instance, the ask seems overwhelmingly reasonable—and less than what we expect in other circumstances.
With this in mind, what else should Google do?
It should be possible to turn this off!
Using "support" and "Google" in the same sentence is laughable. They barely support the ad clients that pay their freight. Google's entire business model is built around NEVER providing support for the users of their technologies, and killing off any products that don't monetize.
Where on the gmail page does it say "not for homeless people, sorry"?
Adding (and forcing) 2FA was a recent decision from Google, which came a long time after Gmail the product was already introduced. There are millions of accounts which were created long before anyone had an idea what a smartphone was, let alone phone-based 2FA.
Not having 2FA is going to allow some portion of users to get hacked. When those users do get hacked they will need a way to regain control of the account. Methods of regaining access to an account are notorious for bad actors social engineering their way to gaining control of accounts.
2FA relieves some of that, because even if you do get hacked you can provide a token from the authenticator that was attached to the account, proving that you do in fact own that account.
> I think it's excessively paternalistic to not provide that option.
I don't find it paternalistic. The goal is to cut down on support costs by reducing the number of users who get hacked and need assistance regaining access to their accounts, and to force users to have a method of demonstrating they own the account even if they can't log in. That it confers some additional security to users is nice, but not really the end goal.
I don't think they do! This would be part of the tradeoff.
Currently, people who cannot use or rely on 2FA are getting locked out of their accounts even if they weren't hacked and knew their password! Isn't that worse?
I don't think so. You seem to presume the end state of both is that the user is locked out, which is only half true.
With a lost 2FA device, the user and everyone else is locked out of the account.
With a compromised account, the user may be locked out but the hacker is not. The hacker is free to impersonate the user to social services, hospitals, potential employers, etc. If there's no mechanism for the user to regain control of the account, the hacker will have that access until the user can contact all of those people and give them a new email address. That could take a while, especially if we're considering that the user has a high chance of not having a phone at the moment.
Not if it's happening to fewer people than the alternative.
I got "hacked", I mean yeah it was a hack using an Android phone and Google's automated recovery system.
If not for the latter, my incredibru strong password would've saved me.
They also removed the phone and backup email from that account because I recovered the account once.
I sure hope 2FA cannot be removed once someone gains access (not without a call to the 2FA number/whatever) lol.
Either way, I'm not using it because it's a pain in the ass. I already hate that they lock me out if I try to log in from another country.
Gee, yeah I travel between EU countries, that's very unusual for most people.
So we should be mindful of Google's profit margins, instead of homeless people's access to vital services?
• The people who want security get to keep all the security they get today.
• The people who don't think about security and leave default settings intact keep all the security they get today.
• The people who explicitly ask for less security get less security.
• Some of the homeless will get increased access to vital services.
It's a win-win—unless you believe, for some reason, that people should have security forced on them even if they explicitly ask to not have it. I fundamentally don't understand this mindset. People should have the right to do dangerous things if they are warned of the risks involved.
That's like forcing pepboys to change the tires of senior citizens for free because social security isn't paying enough.
Maybe we should put our efforts towards fixing problems instead of asking private companies to put a bandaid on it at their expense.
1. Go to myaccount.google.com
2. Press "Security"
3. Press "2 step verification"
4. Enter your password
5. Press "Turn off"
6. Confirm the dialog that says "Turning off 2-Step Verification will remove the extra security on your account, and you’ll only use your password to sign in."
If you login from a new computer or unrecognized IP, Google forces you to use the YouTube app on your phone to enter a “code” to login. It sometimes doesn’t even let you get a text code. God forbid I lose my phone or delete the YouTube app and login from a new IP. I don’t know how I would even get into my account.
I don’t know how this isn’t a wider spread issue affecting more people but I guess Google developers live in a perfect world where the YouTube app auth can never fail and you never lose your phone.
I had the right password and recovery email but I wanted to txt a code to a phone number I didn’t have any more.
That seems insane to me. Right password, access to “recovery email” and still blocked.
What ended up working for me was trying to login when I took a vacation back to the same city when I last logged in.
Didn’t get asked for the OTP code, so could get in and update the number.
I wouldn’t have such an issue if Google had customer support and let you send other proof of identity. But they don’t.
And now I’m getting weird requests to confirm I logged in from the YouTube app on other devices. YouTube?
If you have 2FA enabled, then yes, of course it will ask you for the second factor if you're doing something unusual.
But with 2FA disabled, logging in with just a password works fine.
> Look, I'd love to stop CP distribution in America! Really, I would! But Google's encryption policies are preventing law enforcement from intercepting pedophile communications now, today.
It's the same "think of [vulnerable group]" type of statement.
But also, yes, there are in fact many times when it's important to consider the needs of different groups of people! That isn't to say that the ends always justify the means—it depends on what the means are—but reasonable accommodations should be made where possible.
Google allows someone of your choosing, who must also have a GMail account, to takeover one's account after x months of inactivity. It's not great but it's better than nothing and it has the benefit of being an option that exists today.
Remember you have the “rescue keys” from google to avoid these kind of problems.
The bigger problem is how you teach those people how to use the services in their situation.
