Ask HN: Google login has circular dependency

11 points by darth_avocado 5 days ago

I just changed to a new iPhone. After setup, the gmail app requires me to confirm using two factor authentication using one of the following methods:

1. Tap Yes on a notification on my iPhone, which I don't receive because I am not logged in into any google accounts

2. Verify using prompt on the Gmail App on my phone (I can't use gmail on chrome on my laptop), which I can't use since I am trying to login into Gmail anyway

3. Authenticator App, which I am signed out of and if I try to sign in, needs me to verify using 2FA

4. Get an SMS. This option is disabled because other secure options are available.

5. Contact Google support, this will take 3-5 business days.

How do you sign in into Google products on a new device if you don't have access to your old device? At the very least 2FA should support email code or text code as a backup.

Found a useful discussion: https://discussions.apple.com/thread/255403865?sortBy=rank

eth0up 5 days ago

Man, I sympathize. Google can be ruthless with their (IMO poorly implemented) authentication schemes. I queried an LLM and its reply was:

Backup Codes If you set up 2FA previously, you should have received a set of backup codes. These are one-time use codes that can bypass the need for other 2FA methods.

    Check if you saved these codes offline (e.g., on a USB stick, external drive, or printed copy)
    If you have access, use one of these codes to log in
Try Alternative Devices If you have any other devices where you're still logged into your Google account:

    Use that device to approve the login attempt on your new iPhone
    Or use it to disable 2FA temporarily, allowing you to log in on the new device
Recovery Email If you have a recovery email set up:

    Try the account recovery process using your recovery email
    Go to https://accounts.google.com/signin/recovery
    Follow the prompts, using your recovery email to receive a verification code
Probably completely worthless.

In my case, I was locked out for using my pass'word' (successfully) from a different device and I did not have 2FA active. I'm not sure if it was the official complaint I made or the 7 days I waited, but I got back in after a week of being locked with absolutely no recourse.

Good luck, and pardon the slop, if it is.

yonatan8070 2 days ago

IMO the problem here is tht Google doesn't push backups for your codes in any capacity. They pretend that your phone is _always_ available and functioning for tapping yes, instead of using TOTP codes that can be backed up and synced to multiple device classes (phones, laptops, clouds, etc.).

The issue with supporting text as a backup, is that it isn't nearly as secure as other options, rendering every other security measure useless as an attacker can always fall back to it.

Google should ensure that if your account is 2FAed by a single device, you get a prompt to write down recovery codes or back them up, but they don't. Leading to situations like yours where you only know about this issue after you're screwed.

ravenstine 2 days ago

This seems to be a growing problem with other services besides The Google. It nearly happened to me with Facebook, though at least they allow you to send them a copy of your ID to prove who you are. With The Google you are basically screwed. Same with Cash App which decided I can't log in anywhere without my old device which no longer worked, and support finally admitted that I'm screwed and have to make a new account. Good thing I only had the equivalent of pocket change in that account because I would have sued their asses otherwise.

timschumi 4 days ago

There is no circular dependency.

Notifications and prompts are going to show up on your old iPhone, and you got some 2FA backup codes when enabling your 2FA authenticator.

  • hahn-kev 4 days ago

    His question was specific to not having your old device

    • timschumi 3 days ago

      But that's still not a circular dependency then, that's just the normal case for "I lost all my verification options" and it's exactly what the last option is for.

      If I create an account via e-mail and password at a random service, destroy the password and delete the e-mail account, then it's not a circular dependency. In fact, the service has nothing to do with it, it can not know that you don't have access to either the e-mail or the password.

    • darth_avocado 4 days ago

      Correct if you don’t have your phone, you’re doomed. This can happen for a variety of reasons and is not an uncommon use case. Theft, damage, upgrades, etc.

jammu 3 days ago

Google recovery is a mess. My friend phone was hacked during travel recently so he couldn't use that phone to login. Trying to change his password from another phone was a pain and even after that it won't allow to login unless sms verification was done from hacked device, which wasn't evening any sms. My friend had also had a recovery device but even that didn't work and the login flow will keep on asking for 2FA using hacked device, so buggy flow and complete crap.

Froedlich 3 days ago

That happened to me six years ago. After a few weeks I quit beating my head against the wall, created an email account elsewhere, and eventually got most correspondents to use the new address. And I quit using Google services for anything else, too.

Every year or so I'll check to see if I can log in, but it just loops around variations of "two-factor authentication", which I had never used, and therefore have no answer to.

ecesena 3 days ago

Personally:

1. I use Authy with cloud sync disabled for 2fa codes. When I upgrade iphone/restore from backup all codes are there (worked for the past 8y or so, I upgrade iphone every year).

2. I never leave old iphone until I tested most important things on new iphone like email, bank, github, etc.

Hope this helps for future, sorry this is too late.