Once you are the dominant provider of something that is nearing life-essential utility status, you should provide support and escalation routes, and you should be accountable.

...Only to find that you can't transfer ownership of a Google Doc from a Gmail account to a Workspace account because "security."

So at this point we have docs scattered across all kinds of Google accounts and domains which is the least secure thing I could imagine, great job Google.

100% in support of regulating the pants off of this company as well as evaluating alternatives to them.

But in essence: Share the files, make a copy once shared, delete the shared file and only the copy exists.

Better though: Don't use Google Drive for business critical docs if you're not a very high spend Google customer able to talk with an account manager. If you're a small/hobby user or individual, keep critical docs offline as well as online. Just consider it part of your business continuity plan.

I'm not saying Google is great: what I'm saying is that once you pay even for the smallest business suite, you get to get actual people on the phone who are there to help you.

I set up a business account in one country and then moved to another country. Several years later I need to re-enter credit card info. It doesn't let me now because my billing address is now from a different country. Google's only solution? Create a new google account.

But are you sure about this problem? If you create Shared drives in a Google workspace, they take ownership of anything I move into it (after dismissing a warninge explaining what will happen), even if I take files in folders shared to me from someone else's gmail account

(The ownership model of drive was indeed terrible before they implemented the shared/team drives.)

It should also be noted that as soon as that regulation no longer applied (Brexit), high roaming charges were immediately brought back in to effect.

EU-style regulation works.

Rationale was that treating people from one EU country differently than from another was against the union. Imagine paying inter-state roaming in the US.

Companies will charge what they're allowed until either the market forces them to behave, or failing that, the government.

Right now Google is not asking information that would allow them to really verify my identity. Not sure if people would like Google to start demanding that kind of information, like personal identity code (for countries where it is available), passport numbers, home addresses etc.

Without strong identity checks, the system is prone to fraud. Black hats can either social e engineer their way around the support agents or use leaked personal data to impersonate people to gain access to their accounts.

Why can't they offer identity verification as an option? It's not exactly difficult to do technically.

How to do this exactly? Do you want Google to be proving who people are by fingerprints, irises? Google has never gotten into this business. There would be so many issues. And is collecting biometric info an absolute bulletproof way to verify identity? And doesn't have pitfalls compared to current system?

Then how about just ID documents? Who would provide the locations to verify these documents? How many hundreds of types of documents would be suitable to prove identity? And thousands of locations would be necessary to serve everyone. Would they be honest / absolutely trustworthy?

Do you know how many people out there are waiting to try impersonating people by forging documents, given the money at stake, and how many outlets (that you'd have to employ as verification agents) would be susceptible to corruption to defraud people who'd relied on these documents as proof of their identity (and keys to their online accounts)? If you register with an identity document, and that becomes your method of proof, what if someone located in another country asserts that they're you with some different form of a document that says your name on it?

It's extremely complicated.

If banks can do it I don't see why Google can't. For many people, getting locked out of a Google account where they hold all their photos, connect to people via email, have their purchased Android apps, etc. is not much better than getting locked out of a bank account (depends on how much money on the account, I guess, but in many cases this is so).

Whereas your google email is known to many. What happens if some one photoshops a ID and says it is you?

Further more how should the ID prove I am the owner for john.doe@gmail?

The fact is that Google is already in the business of authenticating identities and actually does so in circumstances where the law compels them to, but they have deemed it too expensive to do so in the context of recovering accounts, where they remain uncompelled.

As it stands, the GDPR compels Google to make a meaningful attempt to authenticate whether you are the legitimate account holder when you submit an SAR or Data Deletion Request. But, Google, under no circumstances will attempt to identify you if you fail or are deemed ineligible for their automated account recovery process, unless you are eligible for their "In cases of nepotism or media pressure" emergency account recovery procedure.

Your email is not your identity, and your particular email address is not a right. If Google has made available options to secure your email address, what exactly are you entitled to compel Google to do that does not conflict with the security decisions they've also made to protect your account from fraud?

Google seems to disagree https://developers.google.com/identity/gsi/web

The fact is that these corporations are not innocently providing simple little services that users might occasion to use for a bit of time and then freely put down; they provide services that grant them at times more power than nation states over the lives of individuals who are completely powerless to respond. Given that they wield power over a service which is not optional for most of their "clients", whether or not they meant to (they meant to), they are providing a public good. And if they are unwilling to do so in a way that aligns with the values of the citizens of ostensibly democratic nations, then the citizens of those nations should vote to either compel them to offer their services in alignment with the public good or have their property and right to conduct business in that nation seized.

And whether or not many are aware of it, this would not represent a sea-change in policy for any Western government that I know of. This would simply be the very late, but reasonable extension of more than a century of well-established legal precedent that already exists. For example, in the United States, we call corporations that are regulated in such a manner "Public Utilities", in Germany they are called "Öffentliches Versorgungsunternehmen" and in France they are called "Entreprises de Services Publics" and in Spanish they are called "Empresas de Servicios Públicos"

I have a google account made in 2004 (it is nearly 18 years old) and some time ago youtube started to ask me to verify my age by sending my ID or using a credit card.

I think it was a "bug" on their side, since a google search showed a lot of other people complaining about this -> verify your age.. on a 15+ year old youtube account.

Solutions like yubikeys and passkeys theoretically solve this problem, but open other problems: not least what if you lose the key or the device that the passkey is stored on? Then you're no longer you as far as the authenticating party (Google in this case) is concerned. What's more, whoever stole your phone is you as far as they care, because that's all they have to say who is who.

Your devices should require further authentication (password/biometrics) but is that a guarantee? Could Google or anyone else really guarantee that any client device connecting to their service is unhackable, bearing in mind that many of their users may be on cheaply made and fully out-of-support Android devices or Windows XP?

It's a really hard problem to solve.

Google at least have your past IP addresses which should allow law enforcment to identify you (at least narrow the question down to a handful of people who could all be asked if they have a claim to the account unless you only ever accessed it from public networks). Doing all that detective work is not going to be cheap but right now you don't even have the option to pay for it if your online account is worth a lot to you.

Once it will be understood, losing xx-years accounts wouldn't be a problem.

I know this is controversial idea, but the more I see cases like that, the more I am sure about it

Problem is the "society" around us (for lack of a better word) treats IT services as something reliable, see how more and more countries go digital/electronic only when it comes to payments or relationship with the government.

Until everyone can agree on a better system, your e-mail is your online identity across countless websites. This makes losing your e-mail (with no customer support to regain access) a huge vulnerability in everyone's personal life.

Google provides a way to "submit corrections", but there is no accountability, and these corrections might or might not get applied. In my case, they are sometimes applied: some phones will show the right location, and some will show the wrong one. Again, no accountability.

This probably doesn't prevent SIM swapping entirely, but you will need to also steal the other SIM card you're swapping the number to.

Here is an EU article warning about it.

[0]: https://www.enisa.europa.eu/publications/countering-sim-swap...

[1]: https://de.wikipedia.org/wiki/SIM-Swapping

Yes

Article 22 of the GDPR. Essentially it sates that if automated decision making occurs, you must be able to appeal to a human.

https://www.gdpr-toolkit.co.uk/individuals-rights/the-rights...

This is aside from common law, which might give some protection in that entities managing your goods (and maybe your data?), even voluntarily, have a have a duty of care to keep them safe.

A phone number used for this purpose would definitely identify a person, and so qualify as personal information.

What solution could Google offer without creating a security backdoor? Google might not ever be sure as to the identity of the account holder.

The comparison falls flat though when you consider that you can pay money and get the car fixed and still have the car in the end.

The complaint is not "fix my self-inflicted problems for free for me", it is that there is no way to get anything fixed even if one is willing to pay and acknowledge it's one's own fault.

If this has happened (and I can think of a few other ways for this to all go wrong that involve less carelessness on the part of the account holder) it’s quite substantially more serious than having to pay to fix a car.

There are very real consequences to not having access to an e-mail account that reach far beyond the hassle of creating a new one. They reach far beyond even losing your current emails.

Google (and others) slick account creation funnels belie the seriousness of what you’re doing and the devastating consequences if anything goes wrong.

Regulation is needed urgently, but will only happen when enough famous-but-not-famous-enough-to-get-special-treatment people complain.

Given this requirement, free accounts will probably not be possible. If a person uses a free email account for critical transactions, what can one say? There’s a bigger issue here regarding our increasingly digital lives that needs more comprehensive change than regulation of some areas.

Paper mail delivery is guaranteed in most of the industrialized world, more or less. Email is increasingly used as an alternative but is entirely the recipients’ responsibility. Receiving paper mail costs nothing, that’s probably why so many people choose a free provider like Google.

Also, how would you solve the issue of identity verification in case a user loses means of access?

That was very true, but I think this is changing. Recent dealings with Facebook and the privacy regulations give some hope there.

> And one can't really argue Google is a monopoly with regards to email services

EU regulations do not care about monopolies. The main issue is abuse of dominant position, which Google definitely has. The mobile carriers is an appropriate comparison, I think. None of them has anything like a dominant position across the continent, but their collective behaviour was suboptimal and costly for the customers, which was a strong enough motivation for the EC to intervene. I can see a blanket regulation about the processes that need to be put in place to close or recover accounts. In the same way that these companies are required to have dedicated people for GDPR requests.

Also note that EU regulations are much less concerned about random customers than American laws. The EU framework is all about competition and how to preserve it, under the arguable belief that quantitatively increasing competition will benefit the final customers.

If you take deliverability to the average email account into account then they are not far from one.

For example GDPR, right to be forgotten, cookie warnings etc show the EU is more than happy to pass regulations that impact ad-supported services.

The current regulations may be ineffective or poorly enforced - but it shows they're able and willing to pass laws.

Just because a service is free does not mean consumer protection and data protection laws (including GDPR) no longer apply.

Why would you think otherwise?

Closing that loop hole was valuable.

Really, the people that don't are rare.

The Instagram/TikTok feeds of 20-25 y/o are full of these lists of European cities you can visit in a weekend with a low budget.

See also: Erasmus.

The people who benefit most are those who cross a border to go to work, those with family in a different country, and normal people taking advantage of the unsustainably low prices of intra-EU flights. Not really rich people.

I think your post is in poor taste.

Regulation has gone swimmingly, especially when you consider that roaming charges were completely arbitrary. It costs a carrier functionally nothing to forward traffic to another carrier, eçept for whatever price that carrier has set arbitrarly. Regulation has given me a 25 Gb data cap when travelling, greatly increasing the quality of my vacations, allowing me access to information, safety tips and travel-oriented services as a tourist.

Sure, carriers have lost some income over this (not all, only on european travel) but they are massively profitable, and should be treated as a public utility already.

It's never gonna be possible to 100% prevent any possibility that could cause loss of access to your 2FA. Some people will always fall through the cracks - whether that's due to their own negligence, lack of technical understanding or some algorithmic false positive doesn't really matter imho.

The real problem here is, that there's nothing that can be done to resolve something like that, AFTER it already happened. Not even if you were willing to pay for support to help you.

If you got good contacts, are famous, manage to go viral or something, you might be able to actually get help - but as a regular, boring, everyday person, you're just fucked. The only "advice" you are gonna get is: "you should have done this or that beforehand..." - and the obvious answer to that is: "I would have, had I only known!"

The only thing you can do, is post your story on HN and Twitter, and hope someone from Google reads it, and goes out of their way to actually help you - which obviously is AGAINST standard company procedure.

log into Google

giant banner appears

"Hey, is this still your phone number? If it's not you better change it otherwise we can't recover the account!"

click 'no'

change it to a new one

done.

If you miss that step, because you're in a hurry, your kid pressed the button while you looked away, or whatever, you shouldn't be immediately locked out of your whole life without recourse.

We allowed ourselves to be held hostages by these companies, but we should know better now.

Maybe the last time this banner appeared, they still had their number. Maybe things just co-coincided with the worst possible timing. Stuff like that can happen.

I'm really not comfortable calling them completely incompetent over this.

Also there have been reports of people getting locked out for no fault of their own as well. And those people too have no chance to do something about it.

But even if it is incompetence or gross negligence - as a software company, you'd still want people to be able to report that stuff happening, so that at least you get statistics that you can use to measure the effectiveness of any improvements you try to make.

If those problems occur so frequently that it's no longer financially feasible for you to actually look into them... then maybe there's some incompetence going on at your own side, right?

If you're already logged into Chrome and logged into your phone, it might take a few years before you get to "many times"

Also, Google doesn't always make it clear when something is being added as 2FA. E.g. if you log into an Android phone future logins will use it as 2FA.

Then, when trying to access my passwords stored on my google account (passwords.google.com) I was prompted with a message saying that there was suspicious activity on my account, and I needed to approve a pop up on this android phone. Google would not let me access the password manager until I could physically drive back to that phone to approve it. They refused to provide me with any alternative options despite having a yubikey and sms. Finally, I navigated to my inbox (everything else would load except for that password manager) and went into details at the bottom of the page, then forcibly signed out of that android phone. Bear in mind this was the same device that it refused to let me access the password manager on.

Anyway, after removing the device from my account it let me access passwords.google.com

You can't force people to be truthful online, just like you can't fill up every crack on the Earth with cement.

If I ask you to confirm you haven't changed your number and you outright lie then I'm sorry but it is what it is.

It is completely disingenuous to frame this as though Bob walked up to Alice after lunch and asked her "Has the phone number you used for authentication changed?" and she lied and said "No".

And it seems obvious that in most cases, users that lose access to 2FA methods are not asked "has your 2FA changed?" while they still have access to the account. It is far more likely that one day their cookies are reset or google decides it's time to reauthenticate and they realize that they changed their phone number when they switched phone plans a week ago, and they hadn't thought about the consequences.

We think we have internet identity system figured out. We don't. We are just pretending we do with stupid stuff like password, email recovery codes, 2FA, device auth, social network recovery, facial recognition, fingerprint, etc.

So far we have leveraged brain memory, hardware device, face, finger, and friends for authentication. What else can we do to make this better?

“We” do. There are companies that have very strong security and IAM protections. Others have chosen to invest almost nothing. Your vague wording conflates these two very different things.

Some companies have a great concept of identity and have placed high value on identity verification.

Free email accounts aren’t protected the same way retirement investment accounts are because they carry different risk profiles and different value.

One person posted. Hundreds or thousands read about it. The comments aren’t solely intended to OP and aren’t solely for this instance.

I agree that there are few suggestions that will help OP this time. But that’s all the more reason that others learn to take the issue seriously before they encounter it.

They would only get a message if you hit "try another way" and choose one of your alternative numbers during the login challenge.

Where is this option?

After a waiting period of about 3-4 years they changed the process and I could indeed recover my account. Maybe sooner, but I discovered this by accident. I don't remember the details, I think I failed to answer a recovery question at the time. Certainly my fault, but there was no route to regain access until they revamped the whole process.

Alternative idea: If you're really desperate, you could even try to dig up the phone number owner's address and show up at their door or something and explain it that way. (Note I'm not recommending these per se; I'm just pointing out what's possible. Obviously be very careful to consider everything before doing such a thing.)

It is a super bad idea for anyone to give out 2FA codes, they could easily found your email associated with a specific number from a security leak and attempt to steal it.

You'd trust the current owner of the phone number to be honest (because you are contacting them), not the other way around.

If not, another one I was thinking was asking them to meet at their local police department and looping in an officer into the story or something. Different things work for different folks so they'd have to get creative to find the right solution.

Oh wait, I believe these are called notary offices in meatspace!

(tangent: at some point I thought that maybe notaries could sign one's PGP key instead of relying on rare/non-existent signing parties)

Just add sneaking into their bedroom at night to grab their phone.

Raiders of the lost GMAIL-(Account).

that's what the green bubbles are for

Just kidding - but seriously this has been done before and your advice is sound.

Or pay a hacker to do a sim swap.

SMS 2FA is ridiculous

I've certainly had nerve racking moments where my login has been flagged as unusual and I wasn't sure if it would let me in (and I'm completely locked out of my childhood account though it's not been used in over 10 years)

It's a good feature for those with the password "password" but if you've used a strong single use password it just gets in the way

Whenever these posts hit HN there is some people going "well if they don't do this then a lot of accounts will get hacked" - fine! Fucking make my account vulnerable if I want it to, the chances I get hacked are probably still 10x lower than getting locked out by Google's shit AI crap "protecting" accounts. And well if it does happen, those same people can at least have their "told you so" moment. Fucking bullshit.

If I get hacked, it's on me. Google can even add a "you can't sue us for damages" clause in their Terms (which they probably already have) - just don't lock me out of my own freaking account.

In Canada, banks have this for things like e-transfers and preventing suspicious transactions. However, when people acknowledge the warnings and still go ahead anyway, they cry bloody murder and the bank ends up refunding people for fraudulent activity the people explicitly authorized after being warned.

2FA is a great thing and I think everyone should use it.

With that said, I don't want 2FA on my alternate/testing/dev accounts. I simply don't want demo accounts linked to my phone number. I'd like to opt-out of "standard security" (MFA) and accept the risks on non-primary accounts.

In another, non-Google case, Apple once demanded that I provide the answers to challenge questions for an account I didn't use often even though I had my username and password correct. To me, the challenge questions are something that should only ever be used to verify in the case that I don't know my password, and it took me three days of trying against the rate limit to get enough tries to figure out the spelling of the answer for one of my questions. What made it really ridiculous is that the only reason this account existed was to give me access to developer account that was actively billing my credit card that I couldn't access... at least with Apple there was a customer service representative who was willing to try to figure something out as they agreed that it was ridiculous that I was paying money for something I couldn't even log in to cancel (though she wasn't sure if she could actually do anything...).

Maybe hugely insecure but I enable google authenticator then put that recovery code and key everywhere I can.

Anyway, it's not possible to configure 2FA in the way we want. The Google prompts configuration says "To turn off Google prompts on a device, sign out of your Google Account on that device."

There's no way to enforce the Authenticator. Not even make it default.

For now I have removed every android I could from their logged-in-devices page and hope that suffices.

I had a similar story with my own accounts.

It's just lost forever, luckily I had many others, and didn't associate my whole life to any single account or provider, nor used social sign in, so it was not life altering, just a bit of work.

But selfishly, I hope those kind of story get published more and more so that people finally realized that what we told them not to do the for the last 20 years was not just for the sake of it.

People don't listen to preventive talks. We see that with cyber security, climate change, and so on.

They only start to move when they get hurt.

I wished people would have listened to us when we advised not to give everything to GAFAM, not to put everything online, and not everything on one provider. And certainly not to trust them with being on your side.

So they wouldn't have to get hurt.

But this is not how we, as a specie, learn. We need to get hurt.

So make sure a lot of people know about this. Not just in the hope to get the account back, but because maybe more people will listen this time.

For Facebook, I’m currently completely locked out. I have the right username and password, but the email accounts I used to create the Facebook account are disabled now, being university accounts.

At one point, Facebook wanted my credit card or driver’s license as proof to tenable the account, which I wasn’t comfortable with. Then it got paired down to three randomly chosen connections that I needed to contact outside of Facebook. Once chosen by Facebook, these contacts cannot be changed. For me, it included a deceased person and two people I haven't even seen since high school. Now, it just wants to validate the email addresses with no other options.

So now what? Nothing in my control ever went wrong. I know my account, I am the person, and I have the username and password. It would be nice to be able to just call a number with a human on the other line to verify that it is me.

We've entered the era of "death by scale". We and the government allow these companies to treat customers and people as statistical entities. They don't give a shit if their products either flat out don't work or ruin a customer's life for "only" x percent if x is small enough.

Do people use custom domain names to get around the fact of switching email providers? Aren’t there rejection/filter issues when using custom domain names?

I rarely needed to ask for support, but every time FastMail response was by an actual humans, not by a tincans.

I agree that in b), it sucks that once chosen, the 3 people cannot be change (although I kinda see the security angle of it), but what else would you want Facebook to do if you lost access to your email?

I don't understand why it can't just ask me questions about my account. It's not like I'm resetting my password. It was Facebook that randomly decided it needs to send an email, something it never did for the longest time.

For gmail, have several addresses, with redirections to each others, use imap, don't use social sign it.

I also never use social sign in for anything other than using my GitHub account for certain things.

And if FB stole it, congrats, you are rich off the settlement.

TLDR: I actually recovered my old university email address, and Facebook refuses to send a code to that email and has now removed it as an option.

You don't need to host the email servers yourself. Many email hosting services will let you use our own domain with them.

If you want to use an email hosting service that does not directly support using your own domain, many domain registrars include free email forwarding so you can forward mail sent to your domain to your address at your email host, although there might be problems with sending from your domain if you use the forwarding approach [note 1].

It might at first seem that this is just pushing the problem back a little. Instead of the problem being losing your account at a mail hosting service like Gmail, you now have to worry about losing your domain.

The big difference is that a domain registration is a lot more passive. With a Gmail or other mail hosting account it is something you are actively using. Content you generate goes through it. Content other people generate goes through it to you. That gives all kinds of opportunities to trigger false positives on their automated anti-abuse systems.

With a domain you register it and designate name servers and periodically pay to keep it from expiring. Most registrars include basic name service so you don't have to deal with finding a name service provider. Once you've set up name service to designate your email host as handling your domain, or set up forwarding if that's what you are doing, you pretty much don't have to touch anything there and content to/from you doesn't go through those systems so there is simply much less opportunity for something to trigger some sort of automated anti-abuse systems.

Pick you domain and registrar carefully. Don't pick a domain name that is close to some trademark. Pick a top level of .com or .net or maybe your country's top level if you are going to want to send email from that domain [note 2]. Pick a registrar that is not in some country likely to do things that get your country to put sanctions on it.

[note 1] You might not have enough control over the headers on outgoing mail to be able to send a mail that doesn't look like a forgery attempt. For email addresses that you will just need for receiving things the forward approach should be fine, which will cover email needed for account recovery in most cases.

[note 2] The newer top level domains that are available for general use have been pounced upon by large numbers of spammers, to the point that having an email address in them can make it very difficult to get through spam filters. Spammers are all over .com and .net too of course, but that's also where most of the non-spammers are too. With the newer top levels the spammers jump on in large numbers from the start and so from the point of view of a random email receiver those domains are mostly spam.

I've seen a lot of mention of Gandi on HN, mostly favorable.

Although, I have not used any of my domains with email services.

For most users, it’s not a bit of work, but a life changer (as in this case, right). Most sites only allow G and f SSI, and that’s it. Quick registration is a killer feature and it’s a shame that it is not a part of the tech stack at much lower level than google/site integration. It’s almost 20 years of mass-internet and it still sucks at account registration.

These two things would ideally stay separate. Of course, an expert in Computer Science would certainly have his/her own tld domain with email, and maybe use gmail only for proper email work, right?

Well... Not so sure about that. I'm a tech person myself, and my gmail is my online identity. I would suffer the same fate if I were to go through the same issue as OP's mother.

Perhaps there's space here for a startup, or a service, that allows you to fix this. Something that would make regulatory bodies not too unhappy about it.

I wonder if Google could offer real customer support. I know offering support goes against everything Google stands for, but I'm sure many people would be willing to pay non-trivial amounts of money to get actual support from Google.

So if you unfortunately get locked out of your google account, you could pay for support that can actually resolve your issue.

(I realize paying to fix your problem may rub some people the wrong way. However, I would rather pay for a support ticket than be locked out of my account forever.)

Would you pay $200/hour for customer support?

In my case, I did the Google "security checkup" and clicked "yes" when it asked if I wanted to improve my security by using my phone as a security factor. I thought this was just going to cause it to generate those helpful "Did you just sign in" prompts. No: that option actually signs you up to use your phone as a hardware security token which requires you to physically connect your phone through its USB port. Guess what doesn't work on my phone? My freakin USB-C port (!!!!). Eventually I found the loophole that signing in from the hardware key device itself prompts you to use a different 2nd factor and I was able to disable the security that way. It boggles my mind that I was able to enable that security option without proving I could actually use the hardware device to unlock first. But it completely activated it without me ever doing that.

Unfortunately I have seen similar and they never recovered access. It is just lost to the void that is Google support for their free services.

Yes I know it is the risk you run using a free service but I feel there should be some official process for a real human to get involved to get the account back. As you say you can lose access to your whole damn world these days.

It is crazy we have so many protections for your account getting hacked yet absolutely nothing to recover the same account should some automated system determine you are not you.

That is being very pedantic though as to OPs mother (and the vast majority) Gmail and the related Google services were 'free' in that she didn't enter her credit card details and pay a monthly/yearly fee like she does with Netflix.

Not having support for customers you make money on is despicable.

I fully agree with you there is an agreement that the user gets Gmail (or Google service) at zero monetary cost in exchange for them showing you ads and using your data however they see fit. And you can argue if that is 'free' or not but to the vast majority they see these things as free, rightly or wrongly.

Is 'free' the wrong adjective? Perhaps but it is what is used for a non-paid service.

> Not having support for customers you make money on is despicable.

I agree. Like I said it is crazy there is no real support process to get your account back when there are a lot of processes to keep your account safe.

If "no", is there good reason to believe that Google could manage to do that?

If "no", would it be okay for Google (a for-profit company, not a charity) to discontinue free GMail service (presumably with some warning, etc.), because it was not a viable business to be in?

Microsoft also offers chat support for outlook.com

I have not tried the support from microsoft but apple support have been helpful when I had a relative with problems accessing their account. That was not for a paid icloud account.

(Yes, I am familiar with the "nobody ever fired for buying IBM" aura that usually surrounds Google):

I know that passwords are insecure (or at least, most people's passwords are) but I'd rather have that than tying all my identity to a phone.

Since I started using the internet in the 90s I haven't ever had any password-related incident that I know of. Now I have a constant fear of my phone being lost or stolen. I do have an export of the authenticator files, but what if it fails, or if the phone thief starts doing bad stuff since some services are going so crazy with 2FA that they relax the rest of their security? (I have seen Yahoo mail sometimes not asking for password at all, just some SMS code).

I only use 2FA where it's mandatory (unfortunately, more and more services) and I wish it were forbidden to make it mandatory, at least in this form where you totally depend on a phone.

I've made CS my profession also many, many years ago, certainly before mobile phones (I'm talking _any_ kind of mobile phone, not smart phones in particular) were a thing.

I'm setting all of this context up just for the following mini rant: eternal september is a thing. With all IT now tailored to the unwashed masses, some things had to give. Like, as you say, "most people's passwords" are insecure, but they can also be made very secure without too much effort. The tech-savvy folks are aware of that but the moms aren't - so now _everyone_ (including us who wouldn't really need it) have to deal with nuisances like 2FA.

Computers used to be tools for professionals, now they're basically household appliances. It's a net win, I would say, because life has improved for society as a whole. But something got lost along the way, too.

People are trusted with their own keys to their apartments, cars and houses.

Will we ever trust people with their own keys to their social life?

As an alternative, I read that other people print their password list from time to time, and put it in their actual safe or a bank's deposit box.

WAIT

I'm probably too naive but I can't think anything better. I'd gladly pay some money just to avoid this scenario.

- Try to reach Google's One support instead of the generic Google Gsupport. Since they are paying customers, may be there are humans involved at some point.

- If that fails, the next move is to take the legal path. There are several ways of doing so before going to court. I assume that once so trivial reaches any lawyer of the company it will be fixed immediatelly. If it doesn't, given that the company has valuable and confidential information that's not accessible anymore the case could be strong enough to reach a judge, even if the amount itself is very low (20eur/year). It's expensive and will take time, but it's the best I can devise.

Still mad about the lack of ability to provide proof of ownership, we had ample evidence which would have held up in court if required. But alas, google are worried about their immediate bottom line instead of their long term viability.

And if you work for government, please propose legislation which fixes these asshole ghost companies!

You can also add multiple phone numbers, I got two just in case I loose one for some reason. Like if I loose my mobile, I'd need to sign in to google to locate it and I can use another number (my wife) to get 2FA code. And I have authy with my google 2FA by default, you can have multiple devices as well.

I'm not storing cookies when using GMail and at a time I regularly got those suspicious login type messages when the browser updated to a new version. At one point I had to click a link in the recovery email and enter the month when the account was created. Pretty much guessed several times until nothing worked. Tried again a day or a few later and got in again.

Seriously?! Who comes up with these security questions? This is such a useless question, on the one hand it's insecure because it is a 1/12 chance of guessing right, but also who remembers what month they created an email account? I would venture a guess most people here couldn't even get the year right (I certainly couldn't). Seems the question is only useful to lock out the legitimate owner.

IIRC, they require both month and year, so there'd be a bit more guesswork involved. I added the exact creation date for all my Google accounts to my password manager when I learned about this verification method.

Sounds exactly like what someone named waitforit would say

Also worth a try is to pay for Google One. Rumor on the streets says that paid members have a better chance at bending the ear of a human customer service representative. It may be worth the extra few bucks per year.

2 years ago, I tried logging into the account, and google told me I needed to verify an SMS message due to logging in from a new location (I had logged into this account from Canada before).

I tried calling the old phone number, but it's disconnected. So unless I want to move back to the U.S. to try to get that same phone number again, I probably won't be able to access this account until someone gets that phone number, and I manage to talk them into passing along the authentication message

Also, 2FA will still trigger even when you turn it off. I had turned off 2FA because I don't care about this account and because I kept having issues with it due to the countries I lived in over the years. I logged into a machine that got a fresh install and got prompted to go through 2FA and get a text. But this was turned off.

So I'm sorry to hear about this, it's a real big issue and I ask everyone here who cares about privacy and who cares about a better tech environment to push their friends and family or followers to move towards more privacy respecting alternatives that HAVE support, that WILL assist you if something like this happens. Even in a worst case scenario (all emails being lost), getting back access to the account itself can make a huge difference... So please, support those who hit on issues if you can somehow and promote alternatives for those who can afford them (and most people in the west will generally be able to afford the 1USD/1GBP/1EUR a month some services will charge).

Similar situation with Hotmail went better - as the phone number was gone, the system offered an alternative - i had to provide previous passwords, recent emails recipients and subjects.

Might go do this now.

Then you can just download either a tar or zip file.

sucks because i have a bunch of memories locked in that account and can’t contact a human at FB.

Please check for me, because I'm in a similar situation but have been hesitant to try logging back in.

Turns out it was a IP location issue. When I traveled back to the same city I created it, I never got the 2nd challenge. The password was enough. I could then update the phone number.

It's really nuts. I mean, if you know 2 out of 3 security challenges (password, recovery email, but not phone) suddenly that's enough to lock you out?

My son school gives them a google login. I can login on a PC. But on Android you can't login with Chrome because there can be only one google account linked to a device. When I try to login with Firefox (even with the correct password), it says that they can't verify it's me and that I should contact the domain admin.

Have the security requirements for entry to the account reduce after a timeout and notification period.

Eg: Since we haven't been able to verify your access to this account, we have 1 final option for you. Click this button to begin the recovery procedure:

* We will message anyone currently logged in to ask if they want to allow or deny you access. If you are logged in from another device, you can allow access there.

* If there is no response in 7 days, we will message the recovery email addresses and phone numbers to ask the same.

* If there is no response in 7 further days, we will message the 10 most recently emailed email addresses from the gmail inbox to ask if you should be allowed in. The message will contain your name, and request the recipients contact you and give you a code you can use to unlock your account.

The process still has the problem that scammers will farm discarded/temporary gmail addresses. Dead peoples addresses might easily be taken over too...

More generally, can you get someone on the phone? I can't see a phone number in the Contact Us section of their site.

EDIT: I also checked their most expensive plans ($90/user/year), and it doesn't have different support options.

When I got locked out of my account I wrote (in pen and paper) to their GDPR team saying essentially "You don't have to give me my account back, but you do have to give me a dump of my emails".

After some back and forth (they told me to use Google Checkout, which I couldn't access because I was locked out) they decided that giving me the account back was easier, and they did.

>She doesn't have access to the phone number she added for 2FA

Disclosure: I work at Google but not on anything related to this.

Anything that would get Google to update the 2FA phone number.

Turns out, when I asked myself the question "is my email worth $50/year?" the answer was "yes".

It's been a hassle, not gonna lie, and I may never fully get everything transitioned - but it's an important service, and if it's important I want a prompt and easy resolution to any problems. That costs money. Why did we ever think free email was a good idea?

I fully sympathize and understand that the outcome is bad, but this is just a system working 100% as expected.

It would be bad to be cut off, for all the reasons you have given in the intro, but it would be even worse to lose all my mail as well.

It's the only thing I can do to help, I'm sorry for your mum.

I've said it before, Google cannot be trusted with anything important. They don't care about their users because the users (info) are a product they sell to their actual customers. There's no incentives for Google to provide their cashcow something like customer support, because the user is not a customer.