Google 2-factor snafu - mitigation/future prevention
February 9, 2017 9:47 PM Subscribe
My Android phone crashed and I had to factory reset it. I need my Google account to reactivate it, but the phone was my 2-factor device; I haven't been able to use my backup codes as I can't pass one of the security questions. Thus: no email, no phone, no 2-factor for my other services. Seeking advice for present resolutions and better preparedness in the future.
This leaves me at the mercy of a 3-5 business day wait for their account support to contact me. GMail is a central service in my digital life, so the slow turnaround has left me feeling pretty incapacitated. Worse yet, no texts or phone calls until I can reactivate the phone :(
The security question I'm stumped by is the month and year in which the account was created. The account is roughly six years old, but I've tried to guess it too many times and now Google has locked me out of the self-recover process.
Have you been in a similar situation or managed to avoid falling into one? What steps of mitigation or preparation did you take? Thanks for all advice!
Useful facts:
> Phone is a Moto X, gen 2, on Verizon
> I can do part of the factory reset protection bypass, enough to let me make phone calls but not receive them. The full bypass has been patched, but I might be able to work my way into other stock apps with similarly limited functionality.
> I delete all cookies when I end my browser sessions, so I don't have any cached logins that I know of.
> Tweeting @Google irately and then politely yielded no results. I'm going to try again in the Google Product forums, but lead with politeness instead...
Things I'm considering once this all blows over:
> Create another email account that I pay for, e.g. FastMail, and forward all my GMail messages there as a backup.
> Get a Yubikey or other physical 2-factor device in case my software 2-factor is lost/stolen/broken. I'm not sure if it's possible to set up multiple authenticators on all services but I don't see why, in principle, it wouldn't be. Authy seems to have something along these lines...? Bottom line is that I've lost faith in using backup codes in scenarios where I also get hit with security questions that I did not set myself/that I can't reasonably deduce.
This leaves me at the mercy of a 3-5 business day wait for their account support to contact me. GMail is a central service in my digital life, so the slow turnaround has left me feeling pretty incapacitated. Worse yet, no texts or phone calls until I can reactivate the phone :(
The security question I'm stumped by is the month and year in which the account was created. The account is roughly six years old, but I've tried to guess it too many times and now Google has locked me out of the self-recover process.
Have you been in a similar situation or managed to avoid falling into one? What steps of mitigation or preparation did you take? Thanks for all advice!
Useful facts:
> Phone is a Moto X, gen 2, on Verizon
> I can do part of the factory reset protection bypass, enough to let me make phone calls but not receive them. The full bypass has been patched, but I might be able to work my way into other stock apps with similarly limited functionality.
> I delete all cookies when I end my browser sessions, so I don't have any cached logins that I know of.
> Tweeting @Google irately and then politely yielded no results. I'm going to try again in the Google Product forums, but lead with politeness instead...
Things I'm considering once this all blows over:
> Create another email account that I pay for, e.g. FastMail, and forward all my GMail messages there as a backup.
> Get a Yubikey or other physical 2-factor device in case my software 2-factor is lost/stolen/broken. I'm not sure if it's possible to set up multiple authenticators on all services but I don't see why, in principle, it wouldn't be. Authy seems to have something along these lines...? Bottom line is that I've lost faith in using backup codes in scenarios where I also get hit with security questions that I did not set myself/that I can't reasonably deduce.
Oh but also one of my back-up plans is using my husband's phone number as a secondary option to text a code to. For the future, do you have a partner or family member or close friend you could use for this?
posted by brainmouse at 10:04 PM on February 9, 2017 [2 favorites]
posted by brainmouse at 10:04 PM on February 9, 2017 [2 favorites]
Best answer: In the future, print out the 10 codes they give you as an alternative to the phone app. I have used them. Also, get a Google Voice account associated with a 2nd GMail account. Use that as an alternative method. Let Google send you a text. Also, add your mother's (or a trusted person's) phone to your Google account. Have Google text them a code. Also, I use Google Takeout once every few months and back up all my Google data.
I am not sure why the phone itself can only get incoming calls. All my Android phones (I have 3 active right now) work independent of being logged into a Google account. I need the Google account for my contacts and whatnot, but using the phone for the rest of the phones features such as internet, etc. works. You can download the apps from the play store of go to APK Mirror and download the apk file if you cannot access your account in the play store. You will need to turn on developer settings (easy to do) and check off the allow apps from outside sources.
I flash ROMs on my OnePlus often enough that I run into similar type snafus. I use Titanium Backup to backup my phone. If you backup and use a custom recovery like TWRP, you can install backup recovery pretty easily. Easy like this 50+ something can do it.
If you are logged in to your Google account on a laptop or desktop, as noted above, go to settings on the account and reinstall the Google Authenticator app on your phone and scan a new QR code and then you will be able to use that to get into your account on the phone. The authenticator app is not tied to a specific google account. Rather, you can scan a lot (I have 6) accounts and use the same app for authentication purposes on different accounts. It generates codes for them all separately.
I am sure there is a workaround, but, to me, the best method for the future is to have the 10 hard codes printed out in a safe place you can refer to in a crisis.
(Not sure if any of this makes sense. I am not technical, I just know how to do it.)
posted by AugustWest at 10:19 PM on February 9, 2017 [4 favorites]
I am not sure why the phone itself can only get incoming calls. All my Android phones (I have 3 active right now) work independent of being logged into a Google account. I need the Google account for my contacts and whatnot, but using the phone for the rest of the phones features such as internet, etc. works. You can download the apps from the play store of go to APK Mirror and download the apk file if you cannot access your account in the play store. You will need to turn on developer settings (easy to do) and check off the allow apps from outside sources.
I flash ROMs on my OnePlus often enough that I run into similar type snafus. I use Titanium Backup to backup my phone. If you backup and use a custom recovery like TWRP, you can install backup recovery pretty easily. Easy like this 50+ something can do it.
If you are logged in to your Google account on a laptop or desktop, as noted above, go to settings on the account and reinstall the Google Authenticator app on your phone and scan a new QR code and then you will be able to use that to get into your account on the phone. The authenticator app is not tied to a specific google account. Rather, you can scan a lot (I have 6) accounts and use the same app for authentication purposes on different accounts. It generates codes for them all separately.
I am sure there is a workaround, but, to me, the best method for the future is to have the 10 hard codes printed out in a safe place you can refer to in a crisis.
(Not sure if any of this makes sense. I am not technical, I just know how to do it.)
posted by AugustWest at 10:19 PM on February 9, 2017 [4 favorites]
Is your phone number set up to receive recovery texts? You shouldn't need to log in to get texts, but if you're having trouble you could always ask a friend to pop your sim card into their phone long enough to get the text. Or get a cheapo burner phone for the same purpose, if you're traveling or something.
posted by matildatakesovertheworld at 12:53 AM on February 10, 2017
posted by matildatakesovertheworld at 12:53 AM on February 10, 2017
Yeah, I'm confused - can you not receive texts at all?
If the phone does require a Google account to use it fully, could you just set up a random new account, use it to sign in to the phone, and then receive your 2fa text?
posted by trig at 2:46 AM on February 10, 2017
If the phone does require a Google account to use it fully, could you just set up a random new account, use it to sign in to the phone, and then receive your 2fa text?
posted by trig at 2:46 AM on February 10, 2017
(Never mind, now I see the reset protection part. I'd second the advice then to just try your sim in another phone.)
posted by trig at 3:10 AM on February 10, 2017 [1 favorite]
posted by trig at 3:10 AM on February 10, 2017 [1 favorite]
Were you using the Google 2-factor App to generate login codes, or receiving codes by SMS?
If the former, did you have your backup codes written down? Because they ought to "just work", but Google may have put an extra layer of security on your account because of all the failed login attempts. If the latter, then transfer the SIM to a different phone so you can receive the SMS messages & go from there.
Personally, I have a U2F key (cheap thanks to a Github promotion) as well as the phone App, so I have multiple 2-factor options available in case my phone dies.
posted by pharm at 3:42 AM on February 10, 2017
If the former, did you have your backup codes written down? Because they ought to "just work", but Google may have put an extra layer of security on your account because of all the failed login attempts. If the latter, then transfer the SIM to a different phone so you can receive the SMS messages & go from there.
Personally, I have a U2F key (cheap thanks to a Github promotion) as well as the phone App, so I have multiple 2-factor options available in case my phone dies.
posted by pharm at 3:42 AM on February 10, 2017
Best answer: I'd track down another phone to temporarily put your SIM in so you can receive the 2fac text.
Two things I'd recommend once this is sorted out: save backup codes for all of your 2fac enabled sites (personally I put these in an encrypted archive and store it on google drive/icloud/S3/locally with the assumption that I can't lock myself out of all of them at once); if you're considering paying for eg. Fastmail, consider just using that as your primary account instead (email's the key for all of my other account unlocks, so I do like the idea that if I get locked out there's someone I'm paying with a customer support line who's motivated to help me).
posted by revertTS at 3:44 AM on February 10, 2017 [1 favorite]
Two things I'd recommend once this is sorted out: save backup codes for all of your 2fac enabled sites (personally I put these in an encrypted archive and store it on google drive/icloud/S3/locally with the assumption that I can't lock myself out of all of them at once); if you're considering paying for eg. Fastmail, consider just using that as your primary account instead (email's the key for all of my other account unlocks, so I do like the idea that if I get locked out there's someone I'm paying with a customer support line who's motivated to help me).
posted by revertTS at 3:44 AM on February 10, 2017 [1 favorite]
Response by poster: Thanks for all suggestions so far. I do have my backup codes, but in the shuffle of editing this post I left out that I'm unable to use them. If I try to enter one in the standard 2-factor auth field, I'm told "It looks like you entered a backup code. Click 'Try another way to sign in' and select the backup code option." If I do click on that link, my only options are to "Get a verification code from the Google Authenticator app" or to "Ask Google for help getting back into your account". I'm guessing that if I were able to answer all my security questions, they would then prompt me for a backup code, but as it stands there's nowhere to enter them.
My phone shouldn't be able to receive texts or calls at all because Android requires you to re-authenticate a previously synced Google account post-factory reset as an anti-theft measure. To clarify why I can send calls: I was able to use part of the FRP bypass to get into Android Settings where I was able to set a lock screen PIN. Now, instead of booting to Google's setup app, my phone boots to the lock screen and I can select the phone from there. I've tried calling and texting my phone, but no dice.
Duly noted with the SIM card swap, but since my 2fa was set up only to use the software endpoint on my phone, I'm not sure how I would coax Google into sending me a text instead.
FastMail, TWRP, and setting someone else's phone/email for recovery are great suggestions. Thanks!
posted by .holmes at 6:36 AM on February 10, 2017
My phone shouldn't be able to receive texts or calls at all because Android requires you to re-authenticate a previously synced Google account post-factory reset as an anti-theft measure. To clarify why I can send calls: I was able to use part of the FRP bypass to get into Android Settings where I was able to set a lock screen PIN. Now, instead of booting to Google's setup app, my phone boots to the lock screen and I can select the phone from there. I've tried calling and texting my phone, but no dice.
Duly noted with the SIM card swap, but since my 2fa was set up only to use the software endpoint on my phone, I'm not sure how I would coax Google into sending me a text instead.
FastMail, TWRP, and setting someone else's phone/email for recovery are great suggestions. Thanks!
posted by .holmes at 6:36 AM on February 10, 2017
I think you're on the right track. I have a few backup methods: number that google will text codes to, google authenticator, YubiKey, and printed out backup codes.
One last thing to consider is you should use your recovery methods to make sure they work and you know how they work. Google prompts you for a code, use the YubiKey, next time use a printed code, next time get a text message.....
posted by gregr at 6:45 AM on February 10, 2017 [1 favorite]
One last thing to consider is you should use your recovery methods to make sure they work and you know how they work. Google prompts you for a code, use the YubiKey, next time use a printed code, next time get a text message.....
posted by gregr at 6:45 AM on February 10, 2017 [1 favorite]
Instead of entering the 6-digit code, click "Try another way to sign in" at the bottom, then you should get a big list of optional 2nd factor choices, including the option to enter an 8-digit backup code, get a phone call to a phone number that Google already knows is connected to you, use a security key if you have one etc etc.
If that big list is not available then I’m afraid you’ve locked the account yourself by trying to guess something you didn’t know & are just going to have to wait for the manual Google process to resolve itself.
posted by pharm at 7:12 AM on February 10, 2017 [1 favorite]
If that big list is not available then I’m afraid you’ve locked the account yourself by trying to guess something you didn’t know & are just going to have to wait for the manual Google process to resolve itself.
posted by pharm at 7:12 AM on February 10, 2017 [1 favorite]
use the backup code to sign in on a desktop browser and turn off two factor temporarily so that you can setup your phone and then re-enable it.
if you're already signed in a desktop browser somewhere, just turn off two-factor temporarily.
posted by noloveforned at 7:23 AM on February 10, 2017
if you're already signed in a desktop browser somewhere, just turn off two-factor temporarily.
posted by noloveforned at 7:23 AM on February 10, 2017
Response by poster: To reiterate, there are no active browser sessions / cached trusts available for this account.
I am definitely not surprised that I am locked out now, but I never had a chance to use a 2-factor backup code or other recovery method, describes may have gotten locked as soon as I factory-reset my phone... let this be a cautionary tale, I suppose.
posted by .holmes at 10:36 AM on February 10, 2017
I am definitely not surprised that I am locked out now, but I never had a chance to use a 2-factor backup code or other recovery method, describes may have gotten locked as soon as I factory-reset my phone... let this be a cautionary tale, I suppose.
posted by .holmes at 10:36 AM on February 10, 2017
So when you try and log in to Google in a browser, what happens exactly? For me, I put in username & then password on the next screen, after which I am asked for my 2-factor code, and under that text-entry box is a link to click that says 'Try another way to log in'. Which part of that sequence is missing for you?
posted by pharm at 1:17 PM on February 10, 2017
posted by pharm at 1:17 PM on February 10, 2017
Response by poster: Thanks for bearing with me, pharm.
After entering my username and password and arriving at the 2-step verification screen, I can paste my backup code into the "Enter the 6-digit code field". If I do, I get the message 'It looks like you entered a backup code. Click "Try another way to sign in" and select the backup code option.'
When I click on 'Try another way to log in', I have two options: (A) 'Get a verification code from the Google Authenticator App', which bounces me back to the 2-step verification, or (B) 'Ask Google for help getting back into your account.' From Option B I get prompted to enter my phone number (works), answer a security question that I do know (works), then answer the month/year of account creation which I don't know. Regardless of what I enter for the last security question, I get the following instructions:
"1. Enter an email address you can check now. It helps if you use an email you’ve already added to this account.
2. Google will send a verification code to that email.
3. Enter the verification code here.
4. If Google can verify that this account belongs to you, you’ll see instructions to help you sign in"
I've been entering my university email which has had a lot of interaction with that account (everything used to forward university -> personal GMail) but has never been part of it. Once I submit, I receive a verification code at my university email which, once entered, lands me at a page asking me to "briefly tell us why you can’t access your account. Google will get back to you in 3-5 business days". I've done this a couple dozen times now; my suspicion is that if I had been able to answer the account creation date question correctly on one of my earlier tries, it would've allowed me to enter a backup code. (Maybe not?)
posted by .holmes at 5:37 PM on February 10, 2017
After entering my username and password and arriving at the 2-step verification screen, I can paste my backup code into the "Enter the 6-digit code field". If I do, I get the message 'It looks like you entered a backup code. Click "Try another way to sign in" and select the backup code option.'
When I click on 'Try another way to log in', I have two options: (A) 'Get a verification code from the Google Authenticator App', which bounces me back to the 2-step verification, or (B) 'Ask Google for help getting back into your account.' From Option B I get prompted to enter my phone number (works), answer a security question that I do know (works), then answer the month/year of account creation which I don't know. Regardless of what I enter for the last security question, I get the following instructions:
"1. Enter an email address you can check now. It helps if you use an email you’ve already added to this account.
2. Google will send a verification code to that email.
3. Enter the verification code here.
4. If Google can verify that this account belongs to you, you’ll see instructions to help you sign in"
I've been entering my university email which has had a lot of interaction with that account (everything used to forward university -> personal GMail) but has never been part of it. Once I submit, I receive a verification code at my university email which, once entered, lands me at a page asking me to "briefly tell us why you can’t access your account. Google will get back to you in 3-5 business days". I've done this a couple dozen times now; my suspicion is that if I had been able to answer the account creation date question correctly on one of my earlier tries, it would've allowed me to enter a backup code. (Maybe not?)
posted by .holmes at 5:37 PM on February 10, 2017
Hmm. I get that "Try another way to log in" directly under the first text box where you can enter the 6 digit code.
But it does look like your failed attempts have triggered a higher bar than normal. You may just have to wait it out.
posted by pharm at 6:16 AM on February 11, 2017 [1 favorite]
But it does look like your failed attempts have triggered a higher bar than normal. You may just have to wait it out.
posted by pharm at 6:16 AM on February 11, 2017 [1 favorite]
« Older Name Some Movies That Depict an Aircraft Fighting... | Can VR headsets work in presentation skills... Newer »
This thread is closed to new comments.
posted by brainmouse at 10:01 PM on February 9, 2017