![]() When I commented to people, everyone told me that they could change their password doing this and that, but. But when I put it in google it told me that it was incorrect. How?ĭon't know, I have a password manager that captured the password I inputted and it was exactly as it should inputted. In that case it was a change of password of the main account that went wrong. My recommendation would be to first get a Google Takeout backup stored somewhere safe, then see if you can get another 2FA method that you have control over connected to your account. I have no idea if this is actually how it works or if this is purely coincidental, but it may be worth keeping in mind given that you have limited backup codes available to you. This may imply that failed login attempts may flag your session as even worse than before. However, I also think that Google keeps track of a "security rating" for your session when I don't log in for a while, Google asks me for my password but when I use that same session token on another physical address I also need to authenticate with 2FA. This leads me to believe that maybe Google hides certain options by default. If I recall correctly, I had to let the thing fail and then click "let me try another way" or something similar. Only after two timeouts did it add the option to use a TOTP code. I remember Google not letting me log in with my TOTP code when it insisted on me clicking a prompt I hadn't received. The neologism "passkey" (a string used in lieu of a password, but which is not memorable, and therefore is destined to be something you "have") will probably help to sort out this concept: there would be no confusion about the fact that combining a passkey with totp constitutes two "have" items, and therefore is 1FA until combined with something else (biometric, probably). Things get complicated when people start storing both in some electronic or printed format, but that's not what any login interface tells people to do. When abiding by this concept, "storing 2FA secrets in a different place from their passwords" (the former in some electronic or printed format the latter in one's mind) is simple. "Have" means you cannot possibly produce it with your mind it's stored elsewhere. "Know" means it exists only in your mind it is not stored elsewhere. Normal people, in the sense of people who do what the interface says to do instead of layering anything else on top, are told 2FA means "something you know, and something you have." > store 2FA secrets in a different place from their passwords is just not something normal people are ever going to do is just not something normal people are ever going to do. Expecting users to store 2FA secrets in a different place from their passwords that is also just as secure. It all feels so absurd that the UX side of me just rebels. But asking me to remember a password I last used 3 years ago because that's when I set up 2FA? It's not gonna happen. I never forget my password manager master password because I use it weekly. But the biggest problem with both of these is I'm going to forget the password. Or, put the 2FA secrets inside their own encrypted file stored in my password manager, but once again with their own password that. So I guess I'm technically supposed to subscribe to a second password manager and store just my 2FA secrets inside of that, with a different master password. ![]() But honestly, where the heck else am I supposed to put them? I know from experience that printouts gets lost, and also that if someone were determined to hack me, the easiest route would be to break into my home and find the printouts. Yes this is a classic "maybe I can get support through public shaming" attempt. What am I supposed to do in this situation? Entering a backup code instead of a 2FA code returns an error. ![]() The only option under "Choose a way to verify" is to enter a 2FA code. When re-authenticating to access the 2FA page, there is no option to enter a 2FA backup code or SMS verification to pass the 2FA challenge. When I try to load the Two-factor authentication page, I am forced to re-authenticate with Google. In order to disable 2FA, or generate new 2FA backup codes, I need to access the 2FA settings page under the Security tab. These successfully log me into my Google Account. ![]() I lost my Google Authenticator settings when I broke my phone. I had 2FA set up with my Google Account through Google Authenticator. I would like to inform the HN community, if your plan to recover your Google account in the event of losing your phone is to use a 2FA backup code, or SMS recovery, to remove the old 2FA setup and set up a new 2FA code, that that may not be possible. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |