undefined | Better HN

0 pointsquadrifoliate1mo ago0 comments

> He deleted his sole token (Google makes it trivial to add many) in the most fraud signally way possible.

Are we reading the same blog post? He had his password, 2FA authenticator set up, and backup codes -- everything Google asks you to have to be on the "golden" auth path.

He only deleted his SMS authentication path (one thing I don't understand is how he was able to do this in the first place without being logged in), which is in any case the least secure method of 2FA. Also, It should be fairly obvious that SMS is not expected to work seamlessly while traveling, how is this not a scenario that's hit by millions of Google users worldwide?

0 comments

Spooky231mo ago

We’re hearing one side of the story from a frustrated user recounting a borderline traumatic and stressful event.

The SMS only fallback is when other things have failed and they suspect that there’s been a takeover. Microsoft does something similar to tie it to some tangible thing. I’m not excusing Google. Their exception handling is poor at best. I’ve seen issues at customers where phones left in flight get flagged because of GPS disruptions due to Middle East conflicts, for example. (Phones flagged as having been in Syria or Russia can be kryptonite) One scenario was a VIP whose kid was in Europe with their other parent and the VIP’s tablet, signed into work email.

Other factors apply too - there may be multiple accounts tied to the number that are in different locales, for example. No idea what obnoxious rules Australia and UK add as well.

Point is, this type of shit happens and you should have a contingency.

quadrifoliateOP1mo ago

> Point is, this type of shit happens and you should have a contingency.

Let's work through what the contingency could have been. Always make sure you buy international roaming everywhere you go? Always be able to switch your MX records (from a provider whose account isn't tied to a Google-controlled email)?

They seem to get increasingly less practical to be honest. People travel all over the world everyday, this shit shouldn't be hard for a company like Google that supposedly ingests mountains of data.

More to the point, I think email has become sort of a fundamental right given how much of your identity depends on it. Companies that control this sort of identity foundation need to be heavily regulated, and perhaps nationalized.

Spooky231mo ago

Ok, sure man. In the meantime before the Lenin of our age appears…

In this case, don’t run around with a business account with a single user with admin privileges. Segregate privilege. Don’t share a phone number with other accounts. Don’t use SSO as the key to your business.

If you run a business you need to manage risk. If a customs officer thought he looked funny and seized the phone, he’d be boned as well.

j / k navigate · click thread line to collapse

0 comments

Spooky231mo ago

We’re hearing one side of the story from a frustrated user recounting a borderline traumatic and stressful event.

Other factors apply too - there may be multiple accounts tied to the number that are in different locales, for example. No idea what obnoxious rules Australia and UK add as well.

Point is, this type of shit happens and you should have a contingency.

quadrifoliateOP1mo ago

> Point is, this type of shit happens and you should have a contingency.

They seem to get increasingly less practical to be honest. People travel all over the world everyday, this shit shouldn't be hard for a company like Google that supposedly ingests mountains of data.

Spooky231mo ago

Ok, sure man. In the meantime before the Lenin of our age appears…

If you run a business you need to manage risk. If a customs officer thought he looked funny and seized the phone, he’d be boned as well.

j / k navigate · click thread line to collapse