If I get locked out of everything, please try to help me

There was a post a while back around poor and homeless people encountering exactly this problem on a regular basis. Lots of people in the comments were incredibly dismissive and sometimes actively malign about it.

Edit: One suggestion from me would be to try and start the dead phone connected to power but with the battery physically removed (assuming it's removable). That might bypass whatever issue it's having and let it start up.

This is my nightmare. This is why I refuse to use 2FA. (Except on services that require it, and I wish they didn't require it.)

Am I worried about getting hacked? Absolutely! But when I weigh the likelihood of (1) someone else getting into my account without 2FA and (2) locking myself out of my own account with 2FA, the latter seems much more likely!

I understand how backup codes work. I promise you I will loose them.

You have to click forget password. Then keep pressing "Try another way" until you see "Choose how you want to sign in:" Then select "Get a verification code" It should text the code to telephone number linked on the new cell phone.

After signing in on the new phone with the new password, you will have to do the same thing. Press try another way until you see send a verification code to your phone number. Then it will text a code to the new phone.

You're also welcome to call me and I will try to help you over the phone.

I have long wondered if two factor authentication actually causes more economic harm than it solves - it just doesn’t cause that harm to be noticeably all in one place (the harm is spread to millions of users who will lose access at some point during their lives rather than concentrated on the company that implements TFA dealing with fraud).

It feels like it might.

This isn’t counting the productivity that’s lost to actually using the TFA system successfully, which is probably measurable on a population level.

I wanted to point out a very serious problem related to this post: Google will no longer simply accept totp as a verification but insists on sending you a notification to one of your devices.

Now I can't just use KeepassXC to get into Google anymore, I have to use my phone. The problem that the OP points out provides very real and poignant evidence that this is not only annoying but dangerous.

What is it that companies have against totp? It's starting to get obnoxious. I want to use it everywhere but some companies have stopped honoring it.

Hi Doreen, I am sure many people recognize you as a long-time HN user! I hope someone from Google can reach out to their accounts team on your behalf.

I had this happen with a cheapo android phone ages years ago, where the battery drained beyond 0% and the charging circuity wouldn't recognize it. Sent it for repairs and it conveniently came back with a dead battery again due to the long shipping time. I ended up stripping the wires out of the charger (the USB end, not 120v), and connecting it directly to the battery for 30 seconds or so. This bypasses the charging circuitry in the phone and got it up to a few % so that it would turn on. Surely this can go very wrong but it was my last idea.

> Google says it will send me a link in 72 hours.

Right, so why don't you believe that? A lot of people have lost their only second factor in the past. That's what the recovery flow is there for.

Why not at least wait that amount of time first before escalating to using HN as a support forum?

> Google is convinced I'm trying to break into my own accounts

That's like saying that the front door is convinced you're trying to break into your house, if you try the wrong key. First, it's not useful to anthropomorphize companies and systems like that. Second, "convinced" implies certainty. Of course there is no certainty that these attempts are coming from an attacker. They're even unlikely to. But for 2FA to be a useful security product, it needs to be predictable. It cannot be that there's a button that says "I've lost my phone and need access to this account right now", even if such a button would be very useful to legit users, because obviously attackers could click on that as well.

And that's why the 72 hour wait. If it's an attacker, the legit user will be notified and can reject the recovery attempt. If it's the legit user who really doesn't have access to the account any more, then the passage of time acts as additional proof of this.

Feel sorry for you. I have been locked out of my gmail account for a few weeks. I can receive verification code with my registered mobile, but it is not enough for Google to confirm my identity. It happened twice when I switched to a new phone, I have planned to move away from Google but I didn't. It is painful. Everyday I would realize there is a service I cannot access because I don't have access to my gmail account any more.

I am moving to iCloud, the setup is better than gmail in my opinion. I am not sure if I can get my digital game library back, and many other accounts. I will try to recover my gmail account once a week, and hopefully something can happen. But as far as what I read from internet, people have been locked out their email account for years, and no one cares.

A lot of people treat printable recovery codes as something that should be protected, locked in a safe, etc. As a result they don't bother to use them as it seems like too much effort to secure them.

Please do not treat them this way. They do not grant access to your account. Print many copies of your recovery codes and spread them around. Wallet, home, car, parents' house, etc. It doesn't matter if they get stolen or whatever, again they don't grant access to your account, and they can be revoked at any time.

I know that educating people about this is not a scalable solution to the problem of people getting locked out of their accounts. But maybe it could help you, reader of this comment, if you someday need recovery codes.

Read this thread:

"Ask HN: How to Recover Gmail Account"

https://news.ycombinator.com/item?id=33850676

Google is extremely frustrating in this regard. I keep my TOTP in 1Password so that I can have it on multiple devices. When I tried to login in on a new device, I used the TOTP code. Google then wanted me to click approve in the YouTube app on an old device that was no longer functioning. Eventually I was able to get it to work by re-logging in a few times (I guess it gave up) but why the fuck do I even have 2FA if Google isn’t going to fucking respect it? Infuriating.

If you're in LA and need a computer to use or an environment with wifi and power and what not to trouble shoot this, you're welcome to use my apartment. I have a spare ATT phone if you need something to act as a intermediate device (if your son wants their phone back :p).

If I worked in tech I'd offer you access to a solution but this is all I've got. I hope this problem doesn't last long for you.

This is the issue with companies forcing 2FA on people. I don't see why it's so controversial that people should be able to make their own security decisions on their own accounts.

Yes, I know 2FA is more secure, but sometimes, I just don't care that much.

I recently lost my Android phone, and in order to use Find my Phone service, I needed to login into my google account. But I couldn't log in from my notebook, because it required me to approve the login using ... my lost phone! Is this what Google programmers are paid $250k salaries for?

I can't help with the phone/lockout issue, but I can help (through ArchiveTeam https://archiveteam.org/) with saving the content of your sites to archive.org. I started with doreenmichele.blogspot.com (mentioned elsewhere in the thread), if there are any other sites that need saving, you can reply here or join the ArchiveTeam chat and I/we will get them uploaded.

For anyone else worried about this, print off your backup codes and put them in multiple places. A friend's house, a fire safe, a safety deposit box, etc.

I nearly had the same issue. My phone died and I couldn't get my new phone on Google Fi without receiving a text message but I couldn't get text messages until I was on Google Fi. My backup codes saved me.

For no apparent reason, my phone just mysteriously was no longer stuck this evening and no longer unable to complete setup. I'm guessing someone contacted someone at Google but I don't actually know that.

I did buy a wireless charger to try to resolve the issue with the dead phone. After I bought it, we thought to look up the make and model of both phones. Neither of them can be charged that way.

So lesson learned: Look up such info first. If you need to help someone, keep that in mind and actually tell them (and make sure they got the memo -- if someone said this here, I didn't notice), especially if money is tight, they live without a car and/or are handicapped such that small errands and small expenses can be a painful burden.

I'm still nervous that this may not actually be resolved. One detail is not working and I suspect I know why and I think it will likely be resolved tomorrow (crosses fingers), but I said I would update when I had news, so that's what I'm doing.

(Posted from my phone.)

I have to use wireless charging because the connector on my old phone is toast. It was a lifesaver for ~$15.

Here some things that might help you:

1. Most probably you will need help of someone who knows a little about technology. Maybe you can ask someone you know or pay them by helping (time for time).

2. Since you said in a comment that you have poor eyesight, let someone with a magnifying glass check if the usb port on your old phone is simply clogged up. This is quite likely to be part of the issue.

3. Try different usb cables and charging ports, ideally one that you can verify that works by testing on another device (for example the new phone). These things break all the time.

4. Try carefully wiggling the usb jack while the charger is connected and it should be charging if nothing was broken. The goal here is to find a position where the phone gets charged at least for a bit. Also note: If the phone is off it might take several seconds before the phone indicates that it is actually charging. This is fidgety but could resolve your problem quickly and easily.

5. If the phone has wireless charging you can go to star bucks or restaurants, some provide wireless chargers. You might get some charging done and resolve this.

6. [Technical person needed] You can order a battery replacement (also search on craigslist). If your phone is not too new/fancy this should be very cheap. Then the technical person can swap the batteries and try charging the old phone again. If the old phone then works you can sell it and get a little money back :)

7. [Technical person needed] Depending on your exact phone (the old one) you could search craigslist for a broken one where the screen is damaged but the phone otherwise works (these should be very cheap). You can then charge this phone and and let the technical person swap the battery, same as above.

8. Repair shops: Since your problem (the part that the phone is not charging) is quite common, repair shops might have even more possible solutions. I don't know about the US but in europe many of those are very affordable, especially small ones.

9. Can you tell us the manufacturer and model of your old/broken phone? It's not unlikely that someone on HN has the some model or a battery replacement lying around and you can pick it up or pay for shipping or they might even pay for shipping it to you.

Come one HN, this is a solvable problem!

If you can get to a public library, these often (though of course not always) can and will go to heroic lengths to help people with device and service issues. They may also be able to help with charging problems.

Repair shops should also have some capacity to help as others have noted.

I'd also open a consumer-rights issue with your state's consumer-affairs agency, usually the state attorney general or equivalent office. For Washington State:

<https://www.atg.wa.gov/consumer-protection>

(This tends to be oriented toward utilities and comms providers though it addresses general concerns as well.)

Washington State's AG specifically notes:

The division’s Consumer Resource Center provides an informal complaint resolution service. The informal complaint resolution process includes notifying businesses of written complaints and facilitating communication between the consumer and the business to assist in resolving the complaint.

Otherwise, this is a major and escalating problem. The present privately-operated, corporate, for-profit systems we have come to rely on address the problem quite poorly. It's bad enough for techbros and the generally affluent. It's literally life-or-death for the poor, indigent, and handicapped.

I'd like to see organisations such as the EFF, mental health and social welfare organisations, the AARP, and others, put this issue on their priority lists. Ultimately we're going to need some sort of legislation to address the question.

Good luck, Doreen.

Let’s talk about the control these big tech companies have over our lives, because last week I was locked out of Amazon and closed my account with them.

I understand my issue is entirely different from Op’s from the wealth perspective but the fact remains a third party holds all the keys to the kingdom.

I woke up last week to a flurry of Amazon chargeback alerts. Somehow, Amazon (Chase Bank) issued me a new credit card because my old card was expiring and they continued to allow me to buy my entire family’s Christmas on an expired credit card - or this is what appears to have happened.

Instead of contacting me or charging the new, correct card Amazon decided to lock my account. That makes ever Amazon device stop working. You can’t access AWS, you can’t login to update your credit card.

We have a home full of Amazon bricks suddenly, the kids alarms clocks no longer even function as clocks.

The customer service was so poor I am no longer a customer of Amazon. I held firm and let them know if they didn’t unlock my account they could sort it out themselves with the credit card company.

Make no mistake these companies are holding us hostage the more we depend on them.

This is highly frustrating and it sucks.

Also Google is totally doing the right thing here. The slow down and wait is precisely the thing that protects you from identity theft if somebody waits until your phone is turned off, clones your SIM, and pretends to be in precisely this situation.

Hopefully in THAT case, you notice the "somebody is trying to get into your account" and say "no, this is a hack attempt".

Good luck.

1. why don't you have any recovery codes? This topic comes up bi-monthly... (To everyone else reading this, no, you're not immune, go save the backup codes)

2. If it says it's sending a code to a device, that's not SMS, that's Google's own side-channel for trusted, authed devices.

In theory, you should have backup codes and/or the ability to text a number you've confirmed. Maybe you're not seeing the link for "Try Another Way/Method" ?

> If anyone has contacts at google and can tell them, yea, verily, Doreen Michele Traylor is a real person who is real poor and we all know her and please let her keep her phone number and her (my full name) google account and get me out of this fucking nightmare, that would be coolios.

Man, I just don't know what to say here. I really don't want to be mean, but I _really_ don't want someone compromising my HN account and then going "oh yeah, plz remove 2FA from [my Google] account, it's really me for sure". :/ :/

I had a huge scare when I moved to a different country and my sim from my home country stopped receiving SMS for OTP. I got locked out of everything, my financials, emails, work etc.

I paid a premium amount for international roaming to get access to incoming SMS and changed the phone number for OTP. That was anxiety full day.

Later realised that I need to backup my recovery codes on my system somewhere.

Try to find a 3rd party phone repair shop. There's a decent chance they can get your old phone charging pretty quickly and cheaply if it's just your charging port being dirty / faulty.

> Google is convinced I'm trying to break into my own accounts

Yep, the more you attempt the harder it will get, please wait for the 72 hour account hold and if that fails it's best to wait a full week without any sign in attempt or recovery attempts.

Is there any service that presents an elegant solution to managing actual identities on the Internet? If not, it seems like a real problem that needs solving.

I understand people value the ability to express themselves anonymously, but I've also been locked out of legitimate accounts--

If everyone is anonymous nobody can be verified. If everyone's identity is tied to their handle there's no anonymous expression.

If somebody could provide a way to both have and eat the proverbial cake, that seems like real winning proposition in my eyes, something worth paying for...

You remembered me good old book, written by Sam Walton, founder of Walmart (Made in America).

He said very simple thing, which made earthquake of my mind - he started BIG business in small town on periphery, because in large city, all life is constant pursue against time, but in small city, near only weak concurrents. So, for responsible initiative person, small town is great opportunity.

Sure, exists exceptions, for example I'm in Ukraine, here war, economy fall more than 50%, I cannot find work in country, near all employers except very few, asked me, if it is possible for me, to move to safe country (or they will not give me job), and government prohibited all males to leave country.

And You might already understand, I'm now thinking, to write book, or to make computer(or mobile) game, which will teach people, how to survive, because infinite time is only thing, which have every unemployed.

Don't give up! Our good times just postponed, but will return.

Have you tried unenrolling from RCS?

https://messages.google.com/disable-chat

I really don't have anything to say to the OP, but I wonder(in a similar situation) if with the recent push towards e-sim, will SMS based 2FA become more problematic?

If a phone with an e-sim dies, and you need some kind of OTP, I wonder how you'll receive it. You can't exactly 'transplant' the SIM into another phone.

I had two gmail accounts. I created a new account with a pretty popular privacy respecting mail provider. I wanted the first gmail address as a backup (if the privacy respecting one does not work on some sites) while completely deleting the second gmail account.

I wanted some emails from both of these accounts to the new mail provider. So I exported from the first gmail account and then mass deleted all other unimportant mail from the first gmail account.

Then, I did opposite for the second gmail account. I first mass deleted from the second gmail account but then got locked out from my own gmail due to 'suspicious activity'. So now, I can neither import some mails from my second gmail account and neither can delete the entire account, the way I wanted to do it.

Luckily, the second gmail account was the useless one. I tried to unlock it to get my mails, but as usual there is no one to contact at google.

I wish google would have a store you could bring an ID to get your official account unlocked (I have no idea if Apple offers that). A lot of people are getting locked out of their lifes. So many administrations you can only connect to if you have an email or a phone number associated. There is really a need for users to recover by another mean. And sure things are written when you setup your account and the cynicals here will say "caveat emptor", but when you don't know how those things work the amount of information is overwhelming. And often you end up having someone else do the setup for you. Or whatever other reason people designing those systems don't think about.

Hi Doreen,

I hear that. I really loved my last Google Pixel 3, preceded by the Pixel. For some reason it just refused to start up. I couldn't even format it when connected to the PC, it simply died suddenly, without any impact damage. I lost access to Google Authenticator, which I hadn't backed up but actually found the physical paper auth codes I had printed out in case this situation arose, but they didn't work either(!), so I was logged out of Google services for some time, and also lost my 2fa for some accounts to access my paltry spread of crypto junk accounts. I'm sorry and hope you can get decent Google customer service soon.

>the codes are still going to the old physical phone

This is something that your cell phone carrier needs to sort out. This should ideally not happen, but if your number is operational on the new phone, but you don't get texts, the carrier will help you. This is the only problem you have, right ?

Edit: The above refers to SMS. If by codes, you mean google's notifications in their app, that's a different thing. However, google will offer some alternate recovery mechanism - either SMS or a backup email.

I have both YubiKey and SMS 2FA active on my Google account. However, for SMS purposes I got an extra phone number that nobody knows (well, nobody but me, Google and my phone provider) and that is inactive except when (A) I need to use it for 2FA purposes or (B) I need to top it up to keep it in service (which is every 6 months, approximately).

Is there still a risk of someone cloning my simcard even though I did not, ever, share my phone number with anyone?

I'd argue that the most logical long term solution is that Google figures something out with the government. E.g. go to the DMV to recover your account. The government is the fundamental root of trust and authority on who is who, so it just makes sense that your "official" online life should tie in with that like say your google account and online banking (for more casual stuff like say a reddit account, the drawbacks outweigh the benefits).

If anyone got afraid and wants to disable 2fa, go to

https://myaccount.google.com/security

Feels. I had to get VISA to block charges from Google because I moved and changed phone numbers without remembering to change one of my emails on a custom domain.

I'd expect that you'd move your number to your new phone's SIM, and that Google would then let you verify with SMS. Do they not let you do this?

Big tech.. You just need to know someone there to get your stuff fixed.. Only really a problem for the other 99.999999% of the people on the planet :)

This is a bad situation an i really cannot help the OP, but wanted to ask a question to the wider audience:

So... perhaps i live in my german "island of the blissfull" but why rely on google in the first place? There are tons of other options around for email (many of them free or dirt cheap [sdf.org as an example]). So... why giving big-tech the opportunity to ruin ones life in the first place?

It 2fa needed to connect your google account to a new phone?

If not, then 2fa just pisses people of with no security gain But I surely hope it is not!

My phone is still bricked from the onboarding process at Google years ago, and I had to show up in person to get my W2 after I left. Hopefully somebody here can help, but short of a road trip or fixing the device (can often be <$40 to some kid in your hometown, not necessarily a deal breaker), I'd personally start executing Plan B.

Not sure if this is allowed, but @OP I have an extra phone (oneplus 7 pro) that I'd be happy to give you if you need. It has a cracked screen but works well otherwise. If you're in the US I can probably ship it to you?

Google won't help. Step 1. Try a different charger and cable. Step 2 clean out lint. Step 3 use some rubbing alcohol a tiny bit on a q-tip to clean the contacts. Unless the phone is damaged these should get it powered up.

adding: they call it "backup codes" built into android phones even with 2FA turned off

https://support.google.com/accounts/answer/1187538

My old android phone had some kind of hidden code generation tool for Google that worked even when it was offline without a working sim.

Never seen that before or can figure how it works. Must have been some pre-shared encryption before it went offline.

I think it was buried under one of the "try another way" options and they walk you through it with instructions.

(I do NOT have 2FA turned on)

Beside the main point (because I don't work at Google), but can we do anything else to help? I've seen you on here quite a bit, and if you had a PayPal or something I'd happily chip in

Depending on the phone, try a different mechanism to charge it. I used a charging pad when a family members iPhone wouldn’t charge (ie charging mechanism broke; not the battery).

All based upon your email password, and having a recovery account on another service. One email address to rule them all, and one email address per device.

Google has no interest in you or your problems.

I recommend watching the "Talks at Google" channel on youtube to see the kinds of things that interest the people at Google.

I'd try and get your old phone that doesn't charge fixed at a phone repair place. Tell them you are poor and your circumstances.

A recent experience with Instagram has made me wonder whether 2FA is worth the hassle. My phone broke and I hadn’t backed up my 2FA app since joining Instagram (I since switched to 1Password for 2FA) so I couldn’t log in. No problem, I have backup codes in a screenshot - but they don’t work!

I managed to get in touch with their support and had a bunch of back and forth to prove my ID but am now stuck getting “sorry we only have time to review the most urgent requests” auto responses.

I don’t care about my Instagram account but I will probably complain to the ICO here in the UK out of principle as they’re preventing me from accessing my data which is required under GDPR. However, it does make me think what a nightmare it would be if this happened to my Google account. Seems like once you have an issue, you’re stuck as these companies just don’t have human support.

What’s people’s thinking on the best way to deal with this risk? I totally understand why 2FA is required but this experience showed me that stuff can go wrong - in this case my backup codes stopped working.

>I'm dirt poor. Everyone here should know that.

Do I know you?

This has been a long and varied set of threads. All interesting.

Has anyone actually reached out to google yet to help Doreen? If you have, can you just let us know that you have?

I'm sorry that is happening.

This is why you enable multiple backup ways of getting in.

I have a yubikey as my main 2FA. If I lose it or it breaks I can still get in with:

- my spare yubikey

- my phone

- backup codes

This is why you get backup codes and physically write them down.

I know it's of no consolation for you OP at this point though.

Was this resolved?

Things must be pretty bad if HN is your support system

Between this and Voter ID, we're all screwed.

hn-support

best support in tech

If this was a malicious actor trying to break into Doreen Michele Traylor's phone, it would be a 10/10 effort.

Is that SMS codes or an app? How can you know they're being sent to the dead phone when it's dead? Maybe they were never being sent to that number at all?

Obviously there must be a process to gain access when your phone with an authenticator app is lost or destroyed. Why is that process not working?