Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Gmail's backup codes are useless to access account
116 points by Andrew_nenakhov 77 days ago | hide | past | favorite | 99 comments
Ok, I have a work account on Gmail. Having the experience of being locked out of Gmail previously (endless loop of "You are entering the correct password but we're not sure that it is you, try again later"), I created a 2fa via Google Authenticator and set up Backup Codes and thought I'm safe from them asking me to sign in on another device or enter sms code (I don't carry that phone with me).

So, one sunny day I decided to add standard iOS mail app to this account, and lo, an hour after connection I get a message, that due to strange activity on my account, I need to enter code sent via sms.

Ok, I don't have that phone with me, so I try to log in with Authenticator, and no, no good: 'we are not sure that it is you, enter code sent to sms'. Ok, I dig backup codes, enter them, and still get 'we are not sure what it is you' message.

What's even the point of allowing to set up Authenticator or Backup Codes if they don't do anything?

If there are some people from Google reading this, please, don't reach out to me offering to help. Just change this dumb system.



It isn't just the backup codes.

More than once, I was in a different country and tried logging into a workspace gmail account. Google flags it as a strange activity (fair enough) and needs to authenticate me. It asks me to enter the complete address for my recovery email (I do this), it sends me a code to use for sign in (I do this) but it still refuses to sign me and says it can't authenticate me. It says I need to sign in from a location that I've signed in from before.

So, for the period that I was out of the country, I couldn't access my email. This happened each time I'm in a new country. My only work around was to sign in to my email (on my laptop) before traveling and not sign out (for security reasons, I don't like to do this).

Something similar happened when I used a new laptop.

I just don't understand this. What then is the point of having recovery email and phone number if you won't use them?


There's a Gmail account I've lost forever because Google wouldn't let me in even after doing 5 factor authentication (password, phone number, code from SMS, backup email, code from email).


Heh, same for me. (albeit only three factors, but more weren't configured)

It was [email protected] that I lost, as I was mostly using my original account with a pseudonym for anything private (was a teen when Gmail started, so didn't think twice about using a cringe username back then).

I had configured the first/last name Mail to forward everything to the pseudonym email and didn't access it again for something like a year... Then I had to respond to someone and... Well, Google never let me access it again.

I eventually gave up on it entirely and switched to a custom novelty domain on fastmail, much much later. (A portmanteau of my last/first name


This doesn't happen for me with regular gmail. I wonder if your workspace had a very strict policy.


1) This also happens to non-workspace (regular) gmail accounts

2) I didn't change the policy on the workspace email when I signed up for it

The point is still - why ask me to authenticate via different methods and then reject them after I've correctly authenticated? If some policy is overriding these, then you shouldn't have asked me to authenticate via those methods in the first place.


I try to always log in to Gmail via VPN that uses the same IP address from any location.


Let's hope you never get locked out of your VPN!


I created a gmail account in 2004 and then completely forgot about it. Just last week I realized that I had registered that account. I went to the forgot my password page, and it prompted for the last password I remembered using, which I took a guess at. It told me that wasn't enough information to recover the account, and that was it, because I didn't have a backup phone, email etc. attached.

But then I thought- what if I just try that password to login. And it worked.

So when I thought I had forgotten my password, gmail prompted me for a piece of information that I got correct, and then wouldn't accept it.

I also have another email account that forwards all mail to my main account, but I've definitely forgotten that password, and I have no way to actually get back into that account, even though I've tried. I guess it just forwards mail forever.


> I guess it just forwards mail forever.

Probably not forever:

https://www.npr.org/2023/11/27/1215285876/google-inactive-ac...


They don't follow that policy. I tried to re-register the account I lost access to, thinking while I might not have access to the data, folks reaching out to my old email would be seen -- it told me the account still exists.

So I can't reclaim it, but can't get in either.


I got a notification a month or so ago for an email I'd completely forgotten about, apparently last used around 2005 or 2006, that it would be deleted in a few months if I didn't log in. It seems haphazard but they do seem to be doing it.


I hope they do, I'd love to regrab the name.


I’d love to see a fully mapped login/auth flowchart with every permutation. New accounts, ancient accounts, accounts with 2FA, without. I bet Google themselves dont even have one now. Remind yourself they are really just an advertising monopoly that does other things as a side project.


They for sure won't have one, and various parts of the flow will have been worked on and happy path tested in isolation at different times, so that no googler ever hits the real world cases like OP did. I didn't even say edge cases because they are hit fairly commonly.


Is it even possible to make a flowchart or is it some opaque AI scoring system?


If you want to prevent SMS from being used, remove the recovery phone number and/or 2-step phone number from your account. That's how I've had my account set up for many years, to prevent SIM swapping attacks. Just make sure you set up all the other 2-step options.


I did it on the account mentioned in post (didn't set TOTP though), and Google locked me out saying "You're entering correct password but we're not sure it is you. Try again later". And I tried and tried and tried, for a few weeks.

Then, after 2 months, I tried logging in and suddenly it worked.


I would start looking at the networks you are using. You may be unknowingly sharing your public IP or IP block with compromised machines that are part of botnets, which makes Google (rightfully) very suspicious of logins coming from there. I would also definitely get several hardware FIDO2 security keys as Google will likely trust those more than other forms of authentication.


That was on my company office network that had a stable IP address for I think a decade. Thing is, Google is now known to randomly become very paranoid and protects you from yourself, and, coupled, with complete absence of any support, often results in full account loss: you have better chances of speaking with the Prime minister of Estonia by calling their office than reach someone from Google.


How certain are you that none of your printers or visitors' laptops or whatever were ever compromised by a botnet? Or that your ISP isn't also serving customers who are compromised or malicious on IPs adjacent to yours?

A few hardware security keys will probably prevent this problem for you. I'm wondering why you didn't consider getting them after you had login problems before.


I don't really think hardware keys (which I have a few, btw) really improve security:

I use a seriously backed up password manager that I have means to access from anywhere, and the only thing I have to worry is that I'd forget my really complex password to access it, because it is unfeasible that I'll lose all my devices where it is backed up and also an off-site backup of it.

With hardware keys, however, I constantly have to worry to keep them with me or in a safe place and not to lose them.

(my position is partially rooted in the fact that I happen to live in a country where you can easily have all your material possessions forcibly taken from you)


This is about proving to Google that you're secure. Google doesn't know if the password you entered came from a password manager or not. But if you're using a hardware key, they know it's secure.

If you lose your hardware keys, you still have your other 2 factor options, so you are no worse off than your current situation.


Thing is, history has shown that nothing is reliably enough for Google, once it flags you suspicious. You've entered password and totp code? Nah, you're still suspicious. Gave one time backup-code? Hah, still suspicious. Have a hardware key? Nice, but you know you are really suspicious. How else can you prove that it's you?!


Does this remove the full screen popup that occurs on both my phone and tablet when logging into my Google account? I'm not sure what type of 2FA this is called, but I would like to remove it and have it directly ask for the TOTP.


Hmm, that one is called "Google Prompt" but it looks like there's no option to disable it.


When my bank introduced the option to use TOTP codes instead of SMS for 2FA, I said "Great!" and enabled it immediately. Unfortunately they don't let you remove the other 2FA options. So logging in, I now get three options for 2FA: SMS code, emailed code, or Authenticator code.


Yes, a lot of places don't let you remove the phone number. But Google does.


True, I deleted mine long ago. They keep nagging me to add a recovery phone number though.


Yeah I get nagged once every few months, maybe. Easy enough to ignore.


So we are at a point where just a strong password stored in memory is actually the safest option (given brute force protection)?


The safest option is a hardware security key because it is not vulnerable to phishing. And I expect Google to trust it above all other forms of authentication because of that. So anyone who is worried about losing access to their account should immediately buy multiple hardware security keys. You don't have to buy them from Google.


So we are at a point where just a strong password stored in memory is actually the safest option (given brute force protection)?

The safest option is straight out of 1994: Sticky notes.

Security keys can get lost or stolen. If someone breaks into your house or office, they're going after something other than a sticky note in your desk.


Passwords on sticky notes can be phished. They can also be lost or stolen. The advantage of security keys is that phishing doesn't work on them. Phishing is a lot more likely for the vast majority of people than a thief both stealing their security key and knowing what to do with it.


One of the first things I do with all of my Google accounts is set up TOTP authentication and not with Google Authenticator. So far I haven't had any issues getting into an account after not logging in for a while (because my gmails all forward) but I wonder if Google will disable standard TOTP in favor of requiring Google Authenticator (which will be a problem because then I would need to get a separate handset for each account).


Google Authenticator is a TOTP client as far as I know, and it can transfer codes to third party clients without problems.

The point of my rant was that with modern day Google, TOTP authentication is not enough.


last time I checked (two years ago), Google Authenticator made it horribly complicated to export TOTPs managed by it. It took me an evening and many unsuccessful attempts to get my 10 or so Google Authenticator-managed TOTPs in a format that I was able to import into other open source solutions (eg Authy Authenticator Android app, KeePassX Linux application).

I don't care if things have changed, it was a shit experience. I highly suggest to stay away from the Google Authenticator lock-in danger.


Google Authenticator, like the Microsoft Authenticator, goes beyond mere TOTP and if you use that (or it's required by Google) then you need an app that can receive a push notification as part of the 2FA. This is the part that would screw up a lot of the consulting work I'm doing with client Google accounts because it would mean getting a separate installed instance of Google Authenticator for each account.


You're confusing Google device prompts and Authenticator. The latter is indeed a mere TOTP client.

By the way I'm pretty sure the prompts work with as many Google/Workspace accounts as you want.


Is there any way to disable the device prompt on my Android phone and Tablet? I'd prefer to go directly to the TOTP code entry as the first item.


I haven't used Google Authenticator, but most authenticator apps allow you to have multiple accounts connected. It would be insane to me if Google didn't.


Of course, it can hold as many secrets as you want. It syncs them to only one Google account though, but that's irrelevant.


I also had my backup codes fail, which caused me to lose access to the email account I had had since I was a teenage hacker. In the Google Voice was the cell number I'd had all my life. Two decades of emails, documents, conversations, and contacts lost forever through no fault of my own.

>If there are some people from Google reading this, please, don't reach out to me offering to help.

I wouldn't worry yourself on that front, unless you are some kind of celebrity, they don't seem to care that a basic, core function of one of their most popular products can fail in a manner that totally locks people out.

The whole point of the backup codes is to facilitate account recovery, and it's really hilarious to me that a company full of allegedly elite engineers can't do one simple thing.

I point folks to 0365 for the their cloud needs nowadays -- Microsoft does this strange thing where you pay them money for services that works rather well, and office itself is streets ahead of docs. (And if you enter a code... it WORKS.)


> Two decades of emails, documents, conversations, and contacts lost forever through no fault of my own.

One reason I regularly use Google's takeout feature to download all my GMail data. Only takes a minute to initiate.


phone numbers and email are virtually mandatory nowadays for banking, taxes, and many other things, including dealing with government bureaucracy... so why the hell is not made mandatory by law to be able to go to an email/sim phone service provider's office with your ID/passport/drivers license and be able to recover your account/number?? (allowing users to choose to provide that identification&recovery info when creating their email obviously)


Google will occasionally brick my account telling me I "didn't provide enough info for Google to be sure this account is really yours". There is absolutely nothing I can do but wait for it unbrick itself after a while, all while not being able to read any mail that comes its way. Support is completely useless.

Needless to say I decided to forward all mail elsewhere. I wouldn't touch Google for work with a 3m pole.


> and lo, an hour after connection I get a message, that due to strange activity on my account, I need to enter code sent via sms.

It's interesting you got that message (via email?) one hour after you successfully signed in on your iphone. Are you sure it was not some phishing email or something? Also are you still logged in on that account or did you get logged out?


Has there been any lawsuits for people such as yourself? "Can't get my mail but will get some money." There must be millions of people unhappy about the situation.

Surely, an AI can check each shut-off account, work out the identity, and then allow the claimed user to send in a picture of themselves holding some ID.... some variation on that anyway. A Gmail employee can do the final checking after voice chat, and the user could even pay for this.

They could ask questions like: Has person X ever emailed you? When did you meet that person? What's their email address?

Also, generally speaking, are voice biometrics ever used? That could work well. "Please send us a sound file of you saying _______" or call some number and speak to an automated checker. I suppose so many companies could get voiceprints by this stage of people they have recorded.


It can even escalate to https://support.google.com/a/answer/1110339?hl=en

"Automatically suspended by Google systems for being at risk"

+ This is an automated message. Replies are not monitored.

https://www.linkedin.com/pulse/when-you-get-locked-out-your-...

Good luck.


I wonder if there is a way to disable this SMS 'security' antifeature once and for all? I imagine it is a constant nightmare for people who travel abroad and do not always have connection on their number registered in their 'home' country.


Indeed. I have a university alumni account that I haven't been able to use for some years because it is managed by Google, and they in their wisdom figured somethings was suspicious (maybe leaving the country or not logging in multiple times a day or cleaning cookies or something else that good patriots don't do).

They're asking for a phone number (so, good to know - if a hacker actually got my username and password, they could access everything Google has on me if they have a fresh phone number, I feel super protected), which I am reluctant to provide, but it still doesn't work.

As you highlight, no support.


On Gmail: https://myaccount.google.com/security -> "How you sign in to Google" -> "2-Step Verification Phone" -> trash can.

In general, no. I've wondered if legislation would be feasible though, especially given the flaws that have already been shown.


To be a person is to have a phone number capable of receiving SMS, at least according to approximately every US company.


+1!

Please Google let me have a normal TOTP authentication. No SMS, no "open the gmail app on this other device and tap this prompt", no mandatory Google Authenticator, etc.


You can add normal TOTP and delete Google Authenticator. You can also delete SMS. What you cannot do (I think) is remove Google Prompt if you are logged into your Google account on a phone.


Related/unrelated outage today:

Ask HN: GCP Outage?

https://news.ycombinator.com/item?id=44605732


LinkedIn did the same thing to me after I have enabled 2FA, completely locking me out of all my devices. Then, they asked me to send a picture of my driver's license to a third-party company, who does some kind of validation I guess, to re-enable my account. God, I wish I can delete my LinkedIn account, but it is my only professional visibility to the business world.


From all my years working in IT I've never had a good experience with the iOS/macOS mail app for either Exchange or Gmail, things break constantly. You're much better off using the proper Gmail or Outlook app.


From all my years working in IT I've never had a good experience with the iOS/macOS mail app for either Exchange or Gmail, things break constantly. You're much better off using the proper Gmail or Outlook app.

Very strange. I've been using both iOS Mail and macOS mail with my company's Microsoft Exchange server for almost a decade with zero problems.

I've also been using both iOS and macOS with Gmail on my personal account for close to 20 years across close to a dozen computers and devices, and the only problem I've ever had is when Gmail suddenly decides to let some company bypass its spam filter.

I think I use Gmail's web interface maybe two or three times a year.


EXO or on-prem? We see a lot of authentication errors and sync issues, so much so that we block the "Apple Internet Accounts" EA since it stops the users from adding it in the first place on tenants we manage.

One particular well documented issue that first cropped up about 5 years ago that I still see to this day is the spam of calendar invite acceptance e-mails (so much spam that the user gets outbound blocked). Only happens if the user accepts a calendar invite using the iOS calendar client, MS couldn't identify an issue and Apple didn't wanna hear about it.


On-prem. We don't do cloud.


A bit of a sidenote but: what is a gmail alternative that really works? For instance, spam handling is worse in pretty much any alternative I've tried.

I'm interested in EU-based products first. But they need to handle spam well!


I recommrnd Fastmail! Switched to them like 3 years ago. They Are perfect for me. I use masker emails for my domain so i never get spam


It's hard to judge but for me Fastmail seems to be pretty great at detecting spam, at least it always ends up in my Spam folder. False positives are pretty regular, so far never actual human written emails though, only newsletters, but still. Overall for me a set and happily forget kind of service. Support is decent too.


My company used to be on Fastmail. Spam was definitely a problem. It's not EU based either if that matters (although the relevant servers may be).


I'm a happy user of Fastmail. It's a paid service (€5 per month) but that comes with higher standards. The webmail has been pretty good. Barely any spam to speak of (once a week?), even though I have various email addresses in public places.


Another satisfied Fastmail user. We don't pay a great deal for it and the service has been very good. Be the customer, not the product.


Protonmail works in the sense that I can receive and send emails, it's always up when I need it. I don't know how much of the spam is not arriving or being filtered.


Do you have any deliverability issues when sending mails? I find Protonmail interesting and I like the clean UI, but I worry my mails may end up in recipients' spam folder more often.


Not the original poster. I use all three Proton domains (pm.me, proton.me, protonmail.com) and haven't had an issue so far.


I haven't had problems with proton domains (i mostly use pm.me) but i also registered my personal domain to be handled by proton and that works well


I have not had any issues so far.


How do you defined "handling spam well"? What problem did you have with the alternatives you've tried?


They definitely do have regular false positives for me, marking something as spam that isn't. Never personal email though.


I use Apple's hosted domain service, which is included in the price of Apple One we were already paying for. It's been surprisingly great since I switched my domains to it.


mxroute is pretty good with their spam handling


Soverin


In my opinion, the #1 way to make Gmail better is to enable forwarding. Then you don't have to deal with their ugly interface, login system, new features, weird compose window, etc....


I'm one of the few that likes the gmail interface, I guess. Whenever I'm forced to use Outlook's web interface, I want to vomit.


Yeah Outlook is harsh. I was comparing it to a dedicated mail reader like Thunderbird.


Me too. I forward Outlook to Gmail.

Outlook is unusable but harmlessly so. What's worse is Microsoft 365. I simply can't find a way to configure 2FA in any kind of sensible way. Right now it's simply turned off, which makes me very nervous. Whatever I do, it is somehow overridden in other parts of their byzantine and always changing cat herd of admin sites. I'm waiting impatiently for our M365 subscription to expire so we can finally migrate off this nightmare.


Gmail has one killer feature which is the auto-acceptance of calendar invites. to put it better yet, it will put any and all invites and invite-looking things from emails into your Calendar. you still need to mark "yes i will attend" manually. that, as far as i am concerned, is the perfect UX for this workflow. i don't wanna have to create calendar items manually, feels very previous-century.

i tried to migrate from Workspace to iCloud but dealing with the insane OSX Calendar app which not only does not put anything into your itinerary automatically but is liable to just disappear items from the Calendar randomly, put me off so much i went right back to Workspace.


That's actually how I use that account, but this time I decided to check how it works with the iOS mail app on new iOS beta with that liquid glass interface.

I even dug out my computer that was logged in to this account in desktop browser, and it too blocks access. Crazy.


Or just use a different email client?


There's a button in the admin page for your workspace admin to disable extra security prompts for 10 minutes. Just ask them to help.


it's a simple gmail.com account, not a workspace one.


I got the same impression as the root comment, since you stated "I have a work account on Gmail". In reality, you have a personal account that you use for work, with the accompanying dismal tech support.

Losing that account is a big risk for your work, paying Google Workspace is an investment in your case.


Yeah I would really clarify that this is not a "work account" in the way most people would interpret it. I agree OP should be paying for Google Workspace if your income depends on this account.


To be specific, I use it for a separate Google Play developer account, which Google refused to create on my Workspace account, saying it must be a regular Gmail account. (They also restrict Workspace accounts from some Google Play functions like rating the apps and leaving reviews).


I don't get it. To me it seems that being locked out of a "work" email is far better (far less worse) than being locked out of a "personal life" one, which probably includes stuff like telecom, utility, insurance, social media being tied to that entity. It is easier to get another job than to "recover" all the other aspects of life


Since this is a work account, I think this is more between you and your IT team than it is between you and Google.


[flagged]


> Who even uses it anyway?

Yeah, who uses Gmail? Basically nobody, amirite?


None of these things is a saving throw versus suspicious login detection. It's for the safety of your account. Wait an hour or two, or resolve the reason for the suspicious activity if you may have caused it (VPN, for example).


VPNs are a wholly legitimate way to use the Internet. The onus should never be on a legitimate user to disengage measures that they've taken for their privacy and safety.

In this case, the user has already authenticated with three factors(!). Framing potential VPN use as "suspicious" normalizes a more locked down, surveilled web with fewer rights for humans. We shouldn't be pushing that direction.


While I agree in this specific case, in general, the idea that privacy and safety measures trump all other factors is poorly thought out. What if, for my privacy and safety, I don't want to log into my account to view a specific piece of content? It ignores the reality and impacts of bot activity. And like, what if you paid the for the content? Obviously you have to sign in to view it.

Although maybe you didn't mean to make such a strong statement.


Using a VPN is not even the suspicious part. Using a public network (e.g. hotel Wi-Fi) can make you equally suspicious, in that case you would actually need to have a VPN to your home network to erase suspicion. So it's not about using VPN, it's about not making yourself easily trackable and surveillable


I don't know for sure but I personally doubt that hotel wifi has the same strength as a suspicion signal that VPN exit nodes have. Some normal users use global VPNs. Every criminal uses a global VPN. That is the problem.

Also, just to point it out, logging in at all is a bit suspicious. Normal users rarely do it. You authenticate to Google on your mobile and that's it, you never do it again.

All lot of these other comments are talking about policy and principals but I am just trying to help the OP by taking their question at face value. Their goal seems to be to login to Gmail.


And with a workspace account you can express that preference to Google. But the fact remains that 99.5% of the people who suddenly switch their login traffic from US to Romania or whatever have been hacked and your aesthetic beliefs about supposed rights strongly conflicts with what humans actually want.


>But the fact remains that 99.5% of the people who suddenly switch their login traffic from US to Romania or whatever have been hacked

Why wouldn't a 2-factor or a recovery email sent to another address be enough to refute this?

If you can hack someone's device, it's not that much more difficult to tunnel the connection through a residential VPN. If you can't hack their device, then you can't get 2-factor codes or access their other accounts.


Why should my login be tied to my IP address, which gets randomly re-assigned instead of a secure TOTP tied to my device? What if I'm in a foreign country and I need to check my email? My account has been totally secured ... against me!

Not only is the email protocol (SMTP) an unreliable transport now due to spam filtering, but the actual login interface (IMAP) is also unreliable! Not that this will actually accomplish anything. Spear phishing and spam campaigns seem to be ever-present.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: