Ask HN: How to prevent lockout from Google Account in case of phone theft?
Unfortunately, in Argentina, there are increasingly more cellphone thefts (more than usual, which is already high), and I'm becoming a bit paranoid. So, I would like to have a plan B. It's not that the value of the device doesn't matter to me (replacing my Pixel 7 will probably cost me a lot), but I'm also concerned about the accesses I have stored on it and want to avoid future problems.
The central access to almost everything in my life is my Gmail account, and I also use Google Auth for 2FA codes (which I have backed up in the cloud). My biggest fear is having my cellphone stolen and, when I try to access my Gmail account from my laptop, not being able to do so for some reason and getting locked out forever.
I thought of using an old Google Pixel that I have and installing only Gmail and Google Auth with my Google account on it to have it as a backup. Is this a good idea? I'm not sure if Android allows the same Google account on two different devices. If this is not a good idea, what do you suggest?
Don't save your passwords and 2FA in the Google Cloud. Use a separate service like 1password or Bitwarden instead, which can sync 2FA across multiple devices. That way you can always get back into your Google account if you lose a device (as long as you remember your master password to the other service). Unlike Google Authenticator, these services don't lose your 2FA if your device is lost.
Yes, you can log into multiple devices (Android or otherwise) with the same Google account. I usually stay logged in to Gmail/Chrome on my computers, iPad, Android phone, and gaming handheld (a Logitech GCloud running Android). If one of them gets stolen, the others are still logged in and you can use Find My Phone to remotely erase the stolen one and/or change your password.
You should also add a recovery email and phone to your Google account: https://support.google.com/accounts/answer/183723?hl=en&co=G...
Oh, and set a lock screen on all your devices with a good password, and have them automatically lock when you turn off the screen and/or in some reasonable timeframe (a few min) in case they get stolen. Make a habit of locking your screen any time you walk away and leave your device unattended.
Turn on full-disk encryption. (I think this is the default on newer Pixels).
With the above, if anyone does steal your device, erase it remotely and then sign in to your account again from the replacement device. You might get asked to confirm it from another device, or hopefully you have a 2FA code you can use that's in your password manager.
Thank you very much for your suggestion about using 1password or Bitwarden. I will try to move from Google to any of those two services for 2FA.
I stay logged into Gmail/Chrome in all my devices, but from time to time (sometimes months?) I am asked to relogin. And I just panicked imagining that scenario (though, I remember, I am only asked for the password, not the 2FA code).
Yes, I do have a lock screen almost all the time. I wasn't much worried about what the thief could do with my phone, but mostly what I couldn't do without it.
Thank you again for taking the time to write this.
> The central access to almost everything in my life is my Gmail account
This is a problem, you really do not want to rely on Google for everything. Not just because of the possibility of getting locked out due to e.g. theft, but because Google might shut your account down at any moment (I know several people whom this has happened to) or getting compromised.
> My biggest fear is having my cellphone stolen and, when I try to access my Gmail account from my laptop, not being able to do so for some reason and getting locked out forever.
You can generate backup codes for your Google account, store them somewhere at home (I have mine in a safe).
Regarding Google Authenticator, there is a way to export the TOTP secrets, so print them out also and store them somewhere (or maybe KeePassXC with the vault stored on a USB stick?)
We have google fi and I bought my wife a new phone. She's one of those people that often forgets passwords, so to activate the new phone was like a 2 day wait since she wasn't able to authenticate from the old phone or computer and didn't have her password for the new phone. Luckily gmail support did reset it, because google-fi has no real support.
Having a backup device should help, but you may still end up locked out for a day or two if the initial verification fails. I don't remember why it failed for my wife, typically they just send a number or a prompt to the other device that you have to enter into the new device.
IIRC they also have secret keys you can print out ahead of time that you can use to recover your gmail. Presumably you'd put them in a safety deposit box or store in another secure location.
This is a really good question.
2FA is touted as improving security, but whether it in fact does depends on the individual user's weighting factors on the confidentiality-integrity- availability triad.
Your situation sounds like one wherein the raise on the risk to availability easily outweighs the drop on the other two.
2FA aside, the other consideration is additional risk from having made your phone available to Google's opaque verification process. If e.g. Google would offer your thief password recovery via the the phone number, then involving your phone with your Google account could be very unsafe.
Just get some cheap domain/hosting with private whois info and catch-all email, then setup a recovery email like google@mydomain.com :
https://support.google.com/mail/answer/183723?hl=en&co=GENIE...
It's also useful to track which companies sell your email address to spamers, simply registering with custom emails.
I suggest minimizing your dependency on Google. You should assume that at any moment they will decide to terminate your services, and act accordingly. Losing access to an account you do not have control over should not be more than a slight hiccup.
Yup, using a backup device is the way to go.
How would that prevent a thief using the main device to take over your account?
If your phone has a lock screen, how would the thief use it to take over your account?y Having a backup device lets you verify your identity more easily if your main device is stolen. It's not to add additional security, but additional recoverability.
Steal it inside the time-out for starters.
> Having a backup device lets you verify your identity more easily if your main device is stolen. It's not to add additional security, but additional recoverability.
Security includes recoverability.
And note that added recoverability can subtract net security. Attackers often use recovery options to break-in. Before enabling recovery via phone, I'd want much more certainty about the phone security than I know how to get.
[dead]