If you login to the Gmail app on any device, it can also act as 2FA. Does not need to be the one where they send the push…any logged in device will work.
Google Disabling Phone 2 Factor?
Submitted 1 year ago by doctorcrimson@lemmy.today to mildlyinfuriating@lemmy.world
https://lemmy.today/pictrs/image/78e8f07a-8925-478b-ae7b-367dd0cd4ce6.png
Comments
skip0110@lemm.ee 1 year ago
doctorcrimson@lemmy.today 1 year ago
Yeah thats the problem, you can’t turn it off.
meepmeep@lemm.ee 1 year ago
This is like uninstalling Windows, installing Linux, and then blaming Microsoft because a feature you used in Windows doesn’t work in Linux
doctorcrimson@lemmy.today 1 year ago
If installing linux was a feature sold to you by Microsoft, and then Microsoft removed the ability for the feature to work on Linux, then that would be accurate.
FinalRemix@lemmy.world 1 year ago
I stalling Linux is now a feature from Microsoft. They even rolled out a guide recently.
redcalcium@lemmy.institute 1 year ago
skullgiver@popplesburger.hilciferous.nl 1 year ago
I thought the same thing, until I tried to log in over a VPN in an actual other country (not just spoofed GeoIP like most piracy VPNs do).
I clicked “try another way” and got to choose between “notification on your device” and “cancel”.
Google has some kind of fancy security system that will require you to use the highest form of authentication when something fishy is going on. Multiple failed attempts from a foreign IP address on a device resolution you’ve never used before? Gonna hit you with a mandatory device prompt. Login from a browser with an expired session? Probably not even a 2FA prompt.
The idea and implementation are done very well, but Google does lack the customer support infrastructure to resolve issues like “I’m in another country and I dropped my phone”.
You can use Yubikeys or equivalent if you want to always have a way back into your account. Use two for optimal protection against lockout (one primary you use all the time, one stored away safely intended for recovery).
redcalcium@lemmy.institute 1 year ago
I guess if you’re locked up like OP, you’re basically fucked, right?
doctorcrimson@lemmy.today 1 year ago
Cool but that doesn’t fix the fact that the default method is one that literally does not function and can result in a permanent lockout.
SameOldInternet@lemmy.world 1 year ago
It’s the default because you made it the default. Change your damn security settings. Quick to rant about something without knowing how it works or how you got there is on you and not Google.
lobo@lemm.ee 1 year ago
something similar happened to me too, account that didnt have 2fa enabled at all suddenly asking for confirmation on a device i just wiped
it sorted itself after a couple of hours, maybe a bug
ultratiem@lemmy.ca 1 year ago
Lmao
wander1236@sh.itjust.works 1 year ago
[deleted]doctorcrimson@lemmy.today 1 year ago
You actually have to buy the unlocked bootloader version of phones directly from Google, not something the vast majority of people could accomplish on their own. It’s a selling feature they provide so they can cut out middlemen at carrier services like Verizon (either that or Verizon locks it themselves, idk). I feel like if they wanted to detect that a device hasn’t been used in months or years before requiring you use it and only it for 2FA, they could.
thepianistfroggollum@lemmynsfw.com 1 year ago
I think the carriers are required to do it after the phone is fully paid for.
PM_ME_YOUR_SNDCLOUD@lemmy.world 1 year ago
Even if you turned it back at this point, it still wouldn’t work.
This is pretty infuriating though; Google works just fine with any device that doesn’t run Android so why would they care that you’re running a custom ROM?
My guess is something less evil and more mundane: something about your number changed in their system and now they can’t send codes to it, which is why it’s grayed out. Maybe it was previously classified as a mobile number but now is classified as a landline.
Your only option, if you don’t have any backup codes, is to use that “Get Help” option they have that takes a few days and then either start carrying around backup codes, a Yubikey, or De-Google.
Hey, maybe all 3!
skullgiver@popplesburger.hilciferous.nl 1 year ago
I use my phone to authenticate to Google all the time and I have a custom ROM installed. Google doesn’t care. It’s a problem if you’ve installed a custom ROM and messed up flashing GApps, but that’s not on Google.
However, if I read this post correctly, OP didn’t intend to log into their Android device for long. Google’s locked bootloader requires an account login before it’ll unlock, so OP logged in. Then OP installed a custom ROM, which wiped their device (a security measure that happens after unlocking the bootloader).
Google didn’t know the phone was wiped. It still tried to send a login notification to the phone that had only been authenticated once to get Google’s software off of it.
Google also doesn’t always show all verification options, which sucks ass if you’re in a situation like OP’s. Sometimes they’ll accept SMS, sometimes they don’t. If they think your login is suspicious enough, SMS won’t cut it.
Recovery codes are also risky. Recovery codes work (you have 10 of them) but if Google doesn’t trust your login, they’ll require reauthentication on every single screen, including the screen that’ll let you configure your TOTP settings. I’ve seen screenshots of at least one Google user whose connection was flagged to death after a broken phone, and who ran out of usable recovery codes while desperately trying to add their new phone as a 2FA device (or turn it off completely). Google’s flows are broken in those cases, because reauthentication won’t continue the process of changing your settings, it’ll just bring you back to your settings.
The system is intended to work something like this: based on your account history, your session is given a security score. Authenticating with secure 2FA adds points to that score. Certain settings and actions require a certain security score. That’s why you sometimes need to enter your password again despite having logged in already: to raise your score a little.
If Google rates your security score low enough, you’ll need more reauthentication than recovery codes can provide. Their engineers probably flagged changing your 2FA settings as high risk (as they should) but the scoring mechanism can leave you unable to gain enough security points to do any high risk actions.
Yubikey or another FIDO compatible device is the easy answer: unlimited codes that will let you beat the login loop eventually. Very few people used those, though, and even fewer have two (one for logging in, one in a safe somewhere in case you lose your key).
All of this wouldn’t be a huge problem if Google just had competent customer support. In all honesty, their security system is state of the art and easily beats banks and government portals.
brianorca@lemmy.world 1 year ago
To be fair, customer support is often the way hackers bypass these protections.
doctorcrimson@lemmy.today 1 year ago
As a few people pointed out, it’s only SMS thats being phased out, so using Google Auth is a superior option if you still have access to set it up. But yeah, backup codes would be great for those already locked out by accident.
EFZL5NM0@lemmy.world 1 year ago
You reap what you sow?
doctorcrimson@lemmy.today 1 year ago
I never have and will never ask to use 2FA via the device. This isn’t sown, it’s just crappy design.
squaresinger@feddit.de 1 year ago
How dare you using the phone in a different way than Google intended! /s
Chozo@kbin.social 1 year ago
I don't get this. Is this an SMS-based 2FA? If so, I'm not sure that Google has any ability to block that. Your carrier might, though, but that wouldn't be controlled by your device's OS. The option being greyed out on a third-party site has little to do with anything happening locally on your device.
If this is a push-based 2FA, then... yeah, you wiped the device, along with any tokens previously stored on it. This is also why any time you set up 2FA on any service, almost all of them warn you like a million times "If you lose or transfer your device before disabling 2FA, you will lose access to your account" before you complete the process.
Extrasvhx9he@lemmy.today 1 year ago
I can swear google gives you 10 otps to print out when enabling 2fa as well
orclev@lemmy.world 1 year ago
This is different. This is something new google is rolling out. This isn’t SMS and it isn’t TOTP. Google is opting people into push based authentication based solely on them having an android phone associated with their account whether they’re still using that phone or not. Anyone not already using TOTP or WebAuthN should really add those to their accounts before Google decides to “help” you by opting you into their new proprietary 2FA.
doctorcrimson@lemmy.today 1 year ago
The device was never used, though, and it was never set up for 2FA. My default has always been SMS which they are now disabling.
Chozo@kbin.social 1 year ago
Deprecating SMS is a good thing, in all honesty. SMS is not a secure form of data transfer, and is trivially intercepted. You can buy and setup an illegal Stingray device relatively easily, and capture basically all wireless data from a phone within range.
That said, if the device was truly never used for 2FA, then there wouldn't be any push-based 2FA on the account to begin with. Unless there's another device that's been authenticated with your account somewhere, like an old phone. In which case, that's where your login requests are being pushed to. That's a setting that can only be enabled by successfully authenticating with a device at least once in the past.
If there was never any other authenticated device, then that setting on your account isn't there. Enabling that feature is a two-step process, and step 1 involves configuration on a local device before it can be enabled remotely on your account.