Ask HN: Google claims impossible to access my email I have password to. Is it?

18 points by survirtual 4 years ago

I am bringing this to your attention because, if nothing else, I find it to be an interesting and thought provoking situation, and if any group could realistically do something about these kinds of problems (my case not withstanding), it’s you all.

I am trying to access an email from my early twenties for nostalgia and archival purposes, and I know my username and password but the old email I used for recovery is with a now defunct provider. I attempted to purchase the domain of that provider, but it’s registered to a domain reseller and I offered up to $200 with no response, and even that amount seemed absurd to me.

Following all of Google’s docs, I saw there was no avenue via Google to access the account without that recovery email. There more I thought on it, the more it seems like a policy that fails a smell test of human decency. Here is an exchange I am having on the Google community page:

https://support.google.com/accounts/thread/166498610?hl=en

Interestingly enough, a prime reason I am trying to access this email is to complete my process of “De-Googling” (if you are interested, I can tell you about this experience; I am near completely degoogled now and have a nice, secure alternative in place) I want to archive all my Google data to my own servers, then remove the data from Google. Getting access to these loose ends gives me closure and peace of mind. I find it scary that a third party can have access to information about me, in this case thousands upon thousands of lines of my writing and exchanges, then simultaneously deny my access — even when I have all the authentication methods required when the initial “contract” of use was established.

I think all of us need to take a bit more care when it comes to user data. These are more than just products and services; these are people’s memories. People with wants, needs, joys, fears, and a whole range of experiences. Technology and processes should do their best to offer value while minimizing suffering invoked. They should augment the human condition, not diminish in. In a case like mine — which is uncommon but not unprecedented — I entrusted a service believing I would have access to it with a username and password. I had an understanding ofthe risk profile with that and was okay without 2fa. The provider changed the contract without my consent and in doing so, has cut away my memories offloaded from my brain to their service. There is something here that feels really wrong.

Sidenote:

If this seems complainy or ranty, I apologize to your senses. I don't see it that way; if I did, I would not be posting. If you do feel that way, I'd like to know and have a conversation about it, and I would like to know your opinion on methods to properly talk about these kinds of issues in tech.

unknownaccount 4 years ago

Ensuring the recovery email provider being used for your account remains active is your (the users) responsibility. You call the recovery email “invalid” but in this case it’s a perfectly valid email address because somebody owns that domain. There’s no way you can expect Google to make a special arrangement for you to change the email at the behest of social engineering. What you’re trying to do is get a google employee to removing/changing that recovery email against standard protocol and I hope it doesn’t happen for (everybody else’s) security’s sake.

  • survirtual 4 years ago

    This is entirely ignoring the point of what I am saying.

    I have my username and password. The recovery email is bound to a defunct email provider. It is non-standard. I am able to recall both the name of the email and and defunct email provider. I am entering a correct password.

    I am not trying to recover an account. I am logging in with a correct username and password then being prompted for recovery autonomously.

    To say there is a fixed process without exception handling is not being secure. It is being lazy. There is no security concern with looking into a case like this, having a process for exceptional circumstances, and providing an avenue to move forward.

    This avenue can be programmatic. Give I have a username and password along with the recovery email address, that is enough evidence for some kind of autonomous privileged escalation with an AI that has access to my emails. We already know that gmail is scanned and indexed, and used for advertising. Why can’t that be used for identification?

    More to the point: when I set up a recovery email, I thought it was for recovery. I still thought that to this day, up until this point. I had no idea they were used as 2fa. This is not something that was told to me. If I was aware of that, I would have made a greater effort to keep that up to date on emails.

    Unfortunately, life and bad mental health have a way of making time pass. The passage of time is not a reason to lock someone out when they accurately recall their authentication method. At a minimum after such a duration, it should allow login and then prompt to review recovery options. After reviewing the options, a new consent should be issued informing this information should be kept up to date, or you may be locked out of the account.

    This consent was never provided to me on initialization of the account. Terms were changed and access autonomously denied. What if terms change again and they add an esoteric security key for all accounts automatically? Your password and recovery email is invalid for security reasons and unless you use a security key, you will be locked out. And you have a month to do it.

    That is how this is, but the timescale is just longer. I don’t think it’s defensible.

  • cantrevealname 4 years ago

    I understand the situation as follows:

    - OP has an old Google account and he remembers the correct username and password.

    - OP had added a recovery email address to that account. A recovery email is used if you forget the username and password. Google was not using the recovery email for 2FA (and he was OK with that).

    - At some point Google decided that they'll do 2FA whenever they felt like it even if you knew the correct username and password. Google decided to use the recovery email address for 2FA (even though this wasn't the original purpose of the recovery email).

    - At some point OP's recovery email address stopped working.

    - Now OP can't login even though he knows the correct username and password.

    So OP is not complaining that he forgot his username and password and can't use his recovery email.

    His complaint is that he knows the correct username and password, and shouldn't need the recovery email at all, but Google changed the rules on him and now requires the recovery email to do 2FA to let him in.

    An analogy would be if you created a Google account with the name Toaster Oven (I assume Google allows fictitious names, right?). Then at some point in the future they change the rules and require everyone's ID on file and demand you send a scan of your passport or driver's license in the name of Toaster Oven before you can login.

    • unethical_ban 4 years ago

      I loathe organizations that do this, Google being most prominent. Do not force any new steps into a login process without first informing the user!

      Related: banking apps on mobile that log you out after some number of days. They don't tell you at ligingow many days your session is still valid. Just one day, "oh, give me your password".

      Fortunately I'm savvy enough to have my password safe with my at all times. A less techy user might be on vacation and suddenly get kicked out of critical tools.

    • xyzzy123 4 years ago

      There are some interesting wrinkles to this kind of scenario though.

      For example, using password dumps it's pretty easy to find large numbers of account credentials which work to access email accounts (by stuffing u/p from breached site into email provider).

      Knowing u/p of an account is a weaker signal of ownership than it used to be. Particularly if the account is old and has a weak password.

      Although OP didn't do it, buying up defunct domains used for recovery emails and taking them over also removes any "proof of ownership" value that the recovery email is supposed to provide. Anyone can do that and it's an exploit of an imperfect process.

      The OP is secure in the knowledge that they own the account, but from a process point of view the provider does not believe they have strong evidence that is the case.

      The security landscape, technology and defense measures change over time, and I agree it sucks that the OP can't access their account due to factors outside their control.

      P.S: Were the credentials on your gmail account ever disclosed in a breach? (e.g is the password on haveibeenpwned).

carapace 4 years ago

I can't help you, sorry, but I can commiserate. I have (had) an ancient account on Yahoo, lost access to it, lost my backup drive (it was in storage for years, I eventually found it again but it's effectively a brick) and then Yahoo reincarnated itself a few times(?), anyway, the data is toast, it probably still exists somewhere but there's no realistic way that I'm ever going to see it again.

- - - -

I think about this stuff a lot. On the one hand, I have trained myself over the years never to blame the user. On the other hand, since we are rapidly wiring up our civilization and society to depend utterly upon computers I feel it behooves the average person to educate themselves about them at least to a level of basic computer literacy (or risk becoming a kind of serf or peasant.) On the gripping hand, there certainly are groups of people (corp, state) who seem really into the idea of creating a "peasant" class that supports them but has no effective power over them. Those folks strive mightily to shepherd their customers into their silos (the metaphor becomes a bit mixed, sorry.)

  • Komodai 4 years ago

    That Yahoo account and its data is probably long gone considering Yahoo deletes inactive accounts

    • carapace 4 years ago

      That's one of the things I think about. I figure there's a non-zero chance that various groups or interests may have hacked Yahoo and stolen (a copy of) the data before they erased it. I wonder if, out there in some spy agency or pirate kingdom, the legal and illegal and lost-to-public databases linger in a kind of limbo. Perhaps one day some team of archeologists sussing out the tomb of some unknown king might find a hoard of data...

olliej 4 years ago

At its core - from Google's PoV - they've decided to protect your account with two factor authentication. Their system couldn't verify your machines actually belonged to you, and so attempted to verify via the 2nd factor.

The whole point of 2FA is that it isn't bypassable, otherwise what would be the point? Complaining at them over any medium (including a complaint on a forum like HN) is indistinguishable from any other social engineering/hacking attempt. Someone attempting to social engineer their way into an account by definition wants to look as much like legitimate customer.

The core issue from your point of view is that they appear to have chosen to arbitrarily use your recovery email as a second factor without first telling you and/or getting consent.

At the more extreme end Apple's iCloud encrypts the increasing majority of data with keys that they fundamentally have no access to - the recovery devices (and you can make a non-device recovery key that I assume is tied to their iCloud key vault or whatever it's called). In the event you lose your recovery devices + account recovery key your data is gone - no one has the decryption keys, and Apple's only available option for you is an account reset. I know much less about the state of Google's cloud account encryption, but they always seemed more interested in having the ability to analyze account data.

  • survirtual 4 years ago

    The Apple comparison is invalid because if you losing a key is equivalent to losing a password. I haven’t lost my password here.

    A more apt comparison would be that there are 2 security keys, one you have and one you are expected to store for recovery purposes, in event the main key is lost. You lose your recovery key but still have your primary key.

    At some point without your consent, however, it becomes Apple policy to intermittently require your recovery key in addition to your security key. This is a new policy and no consent process was established. They also make it so you cannot validate your recovery key and replace it if necessary, including no communication of the new practice for user review (which establishes a higher precedence for securing the recovery key).

    • olliej 4 years ago

      Oh, I recognize the apple "you lost your identity" isn't a great match here, just that there do exist cases where its possible that it's literally impossible to recover data.

      I recognize that is not the case for you, it sounds like google decided without either informing you or gaining consent that they were going to use your recovery password as a second factor (unless that's stated in initial sign up, which could be plausible given the world of tech small text).

      The problem from Google's point of view now, is that given the existence - rightly or wrongly - of a 2nd factor, everything you do is fundamentally indistinguishable from a hacking/social engineering attempt. That is what I was trying to communicate. I want to be clear, I am not agreeing with google's behaviour w.r.t unilaterally applying 2nd factor, just that given that in their database your account has two factor, by definition your username+password cannot be considered sufficient.

      The alternative would defeat the purpose of 2nd factor.

      • survirtual 4 years ago

        Right, and I think that fact that I, as the valid account holder, have been placed in a category of indistinguishable from someone social engineering access to my account, simply for not updating a recovery email, makes it all the more irritating.

        It is trivially easy for google to validate if the email in use is still valid. I haven’t cared to look into the inner workings of email but surely there is also a host signing key for emails too, or some kind if protocol level handshake.

        Anyway, my only hope is being okay spending more money to buy the domain. When / if that happens, I will make it possible for anyone else to recover their old email with it.

        • olliej 4 years ago

          Oh, no part of the problem with email is that there is no authentication of mail servers, etc. It hails to a bygone age of hopeless optimism :D

          To repeat though, I wholly agree it is wholly unreasonable for Google to repurpose anything on your account for 2FA, without consent and explicit clear notification.

          I'm sorry this has happen, it really does suck, and I hope maybe you can coax the domain owner into adding just a forwarding address rather than having to buy it :-/

  • pid-1 4 years ago

    Without a time machine, there is no way OP could have predicted their recovery email would eventually be used as MFA.

    • olliej 4 years ago

      Yes, as I said it's not reasonable from the end users perspective, but having done so, allowing username+password to bypass the 2fa isn't possible.

      It is dumb, what they should have done is notified the user that they needed to set up some form of 2/MFA, not choose random value from profile to become one.

Vladimof 4 years ago

It happened to me... I had to give them a phone number (any, apparently) to get access back to it. I also had the correct password, and even the previous password but I didn't enable 2FA.

Sometimes it is also possible to unlock the account using another device that previously accessed it.

This is ridiculous... I now forward all my emails to another account just in case it happens again.

  • survirtual 4 years ago

    Back when I used this account, I didn’t have a smartphone. I had a razor flip phone. The device used to login was an old laptop that I destroyed years ago.

    I just do not understand how the designers of this process thought it okay to lock people out in the name of security. Give people tools to be secure and guide them towards appropriate process, but don’t modify contracts and established mechanisms in the name of security. If someone gets their data compromised as a result of their own negligence, let them.

    I did not ask nor want 2fa for this account. If I did I would have added it. What I was forced to add was a “recovery email” to be used in the event that I forgot my password.

    • Vladimof 4 years ago

      I'm thinking the exact same way... they just want to tie your account to your real identity more accurately... I think "security" is a pretext even if it might be adding security.

GistNoesis 4 years ago

A long-shot, but given that you know your credentials, have you tried an other interface like a mail client connecting through POP/IMAP/SMTP (if you have ever enabled them in the past).

  • survirtual 4 years ago

    Never enabled for this account unfortunately. If that were enabled, I would have already downloaded all emails and proceeded to delete them off Google. Thank you for the suggestion though.

    • phonon 4 years ago

      What about Google Takeout?

      • BenjiWiebe 4 years ago

        You'd have to log in for Google takeout, I hope.

        OP can't login.

        • phonon 4 years ago

          Maybe the login for takeout won't have the same issue....worth a shot!

bradknowles 4 years ago

I have a similar problem with an iCloud account. That domain no longer exists, and so therefore I can't ever reset that password, and I can't ever access that account again.

lesuorac 4 years ago

I assume an arbitrator or judge would be able to help you much better than any of us.

shkkmo 4 years ago

If your main goal is the deletion of the data, you might be able to use GDPR processes to accomplish that.