Easy to lock yourself out of your Google account? → Is that normal?

[KleinesSinchen]

To anybody in the know about Google: Please enlighten me.

Concise version:
Is it normal that you lose access to your Google account if your only smartphone becomes inaccessible/inoperable and you didn’t actively take precautions?
In a vicious circle Google demands confirmation on the phone to log in on another phone or PC browser.

Spoiler: Longer description

How to fully describe the problem? My mum uses Google on her smartphone. Lately I decided to use the given free Google Drive space for backing up official stock ROMs of Android devices. So far so normal.
Log into the account on Firefox (Linux) with Gmail address and password… and then it demanded to confirm on the phone despite no 2FA has ever been set up. Not a big deal: Phone is ready. But I realized this is a single point of failure. Loss/theft/defect of the phone would have lead to permanent loss of that account.
I tried to log in into the account and clicked on “other method” or “without phone” which only went full circle asking for confirmation on the smartphone again and again.

Great!​

Google never gave any warning about this possible single point of failure; neither was there ever a note to setup recovery methods. An alternate mail address had been provided for years. Same for the phone number. Despite that Google did not offer to provide a 2FA code via mail or SMS.

We decided to actively set up 2FA with phone number, mail address (got test confirmation codes on both) as well as backup codes (printed). Google still doesn’t allow us to log in on PC without confirmation on phone by default; but I assume the recovery options would allow it. Additionally I flashed Gapps on a damaged (Sim card reader bent pins) Sony Xperia Z (Yuga) running LineageOS 20 and we signed in there.

Now Google allows both phones to authenticate new logins.

 

[Alexander1970]

I had an "strange" Experience" 2 Years ago.
Got my Wife an ZTE Blade V8 Lite via willhaben.at for her Work (I still do not understand,why they NEED the WhatsApp Shit App).

After I got the Phone,I want to reset/restore it......I never did something like this before,so.....



If you do not have the "Google Accessdata" (thank God there are "nice Guys from India in the World Wide Web......with their Help everything worked) you can take your Schmartphony and put it

THERE ->

 

[InsaneNutter]

Usually when I log in to my Google account on a new device it will prompt on my mobile, however it will also give the option to enter a code from my authenticator app, or use one of the recovery codes generated when 2FA was enabled.

The phone might have had to have been offline or not accessed for a while before email / sms recovery to be possible. When my friend recovered his Hotmail / Outlook account after forgetting his password he had to wait 30 days, I suspect it could be something similar with Google if you have no additional authentication methods present.

 

[KleinesSinchen]

If you do not have the "Google Accessdata" (thank God there are "nice Guys from India in the World Wide Web......with their Help everything worked) you can take your Schmartphony and put it

That's FRP – Factory Reset Protection.
Supposedly anti-theft feature. Probably the cause for millions (billions?) of Android devices ending up as e-waste prematurely while not having stopped a single thief.

And this is actually related. If Google had implemented the check "confirm on your smartphone" when we got our first ZTE Blade L7, mum would have lost her Google account. After a few weeks of usage the unmodified smartphone went nuts and only showed

Spoiler: Mr. Drunken Garbage Can

I managed to restore the main software from recovery. Now imagine FRP in conjunction with the problem why I made this thread:

1. Proof this is your smartphone by entering your Google credentials used previously on this device​

2. Confirm on your smartphone​

Well, it is the same phone, but the previous profile got erased. It can't confirm itself. Baron Münchhausen pulling himself out of the swamp by grabbing and pulling upwards on his own hair?!

Usually when I log in to my Google account on a new device it will prompt on my mobile, however it will also give the option to enter a code from my authenticator app, or use one of the recovery codes generated when 2FA was enabled.

Which means you actively set up something – which many people don't.
The authenticator (some token??) must be backed up somehow as well. Else you get… → this.

 

[Ryccardo]

Never had this problem but I had the equivalent with Apple (no, it's not why I have this avatar lol):

- Acquire a free iPhone 8 or whatever
- Properly logout off the original apple id
- Try to login with mine which of course I didn't remember the password to since I last used it in mid 2014 (that's when iOS 7 beta 3 was current and I realized, correctly to date, that there was no future if you hated that kiddie flat glass design)
- Reset the password, 10 minutes, done
- Play around with it a couple of days, put it back on the shelf
- A few months later, turn it on again, don't remember the lockscreen password, factory reset, be back to step 3
- Reset the password, but after verifying both email and phone number they absolutely insist I log in with a recent enough Mac or iPhone
- Wait 1 month for the alternative

 

[Fien]

I'm afraid this will happen. Some years ago it automatically begun asking me to confirm on my phone when I logged in into Gmail on a PC which doesn't had cookies enabled. I don't like it, but it seems like it can't be disabled.

Also, when my phone was broken and I bought a new one to set up, it gave me an alternative to send a SMS only to the phone number in the account. But... what would happen if the phone was stolen and the SIM card was lost together with the phone?

Since then I have 2 spare logged in phones at home and when I'm on holiday I take a spare phone with me.

That's FRP – Factory Reset Protection.

That "protection" is a nightmare for buyers of second-hand smartphones.

I've saw it once, resulting in a phone only usable for parts only. Since then I always ask if the seller can show the phone booting to the home screen before I buy it.

 

[KleinesSinchen]

2FA is a really good and important thing. I always enable it when available. The problem here is that Google enabled this without explicitly notifying users ("You need to use 2FA from now on. Prepare backup possibilities.")

Since then I have 2 spare logged in phones at home and when I'm on holiday I take a spare phone with me.

You obviously don't want to lose access with two backup devices.


We've tested this a few times in the last weeks with success.
The old secondary phone is automatically used for authentication whenever the main device has been offline for a few hours.
========

@Alexander1970 I just can't get over this cartoon pig. Excellent.

 

[Cranberrycc]

Provide a backup contact number or email address. In the event that you are unable to access your primary phone, this enables Google to send a verification code to your backup contact.