New ask Hacker News story: Gmail as a threat to data access: forced 2-factor login, random lock-outs

Gmail as a threat to data access: forced 2-factor login, random lock-outs
12 by reactspa | 6 comments on Hacker News.
If you have a bunch of Gmail accounts (as I have), please be warned about a couple of troubling issues I've experienced recently, that may be coming your way. -------------- Issue 1: On my main account, Google recently forced me to accept 2-factor login via my Android phone. I did not volunteer to do this. I now cannot log-into my email without having my phone present. I forgot my phone at home one day. I couldn't log-into my Gmail in my office that day. Fortunately I didn't have any important presentation or someone dropping into my office whom I had to show something in my Gmail, etc. Or I'd have been in a soup. Let's say I'm traveling somewhere, and I lose my phone. And I have access to someone's PC. If I want to log in to use "Find my Android" to find my phone, I cannot do this without my phone. In what universe does this make sense? (Not to mention if I want to log in to check urgent messages, or to send urgent messages.) As useful as it is, the smartphone does not deserve such over-weighting. -------------- Issue 2: On some of my secondary Gmail accounts, on my primary device (a Windows PC), Gmail will randomly refuse to log me in (usually in an incognito Chrome window) even after correctly guessing my "recovery email address", AND using a code emailed to my "recovery email address", AND using a code texted to my phone. After refusing to log me in, it will send a self-congratulatory email to my "recovery email address" letting me know that it just stopped a serious security threat by refusing to allow a suspicious log-in attempt. The main reason for this behavior seems to be that "the device isn't recognized". In this email they send to my "recovery email address" there's no way for me to indicate that this was a genuine attempt. The oddest part of this saga is that there seems to be no way for me to train Gmail to recognize a new device. Because a device being "an unrecognized device" is grounds for not allowing me to log-in. Update: just want to clarify that my secondary Gmail accounts don't have 2FA (yet). -------------- Is this the best that such a large software company can do? Is this a hint at the future when flawed AI will get to decide whether you can log-in or not? I hope this is an indicator of the beginning of the end for Google.