Wife locked out of her Google account

I wasn't sure where to post this, but I figured you folks are my best chance of finding an answer.

On Wednesday my wife was trying to restart our Disney Plus service, via her Pixel phone (android 12).
She's prompted for a Google password.

She couldn't remember her Google password, so she clicked the " I can't remember my password" link.
She apparently reset her password, and was then sent to a two-factor verification.
It was supposed to use a prompt on her phone, but this didn't occur.
After several failed attempts to get the prompt, she was offered another method: provide an 8 digit backup code (which she had not set up, thus she had no code).

It also sent a 6 digit code to her recovery email.

She tried to use the code, but it sent her back to the same 2FA as before, and she ended up in a loop.

At some point, she had too many attempts and she had to select account recovery.
It stated a link was sent to her Gmail address-which she could not access because the account is locked.

She also received a message, at some point, stating reset couldn't occur because she was signed into an account.
She checked and wasn't signed in anywhere.

Apparently Google was supposed to send a recovery link to her recovery email, but it hasn't happened.

I found numerous complaints of this issue, with no clear path to resolution.
Some suggested waiting a week without any attempt at recovery...but there is no indication this works.
Apparently Google is having issues with 2fa, but there is no way to attain support.

This person posted a nearly identical encounter:
https://www.retrobike.co.uk/threads... you're already signed,where you're signed in


Any ideas?

Bob

 

Was this everything done on the phone? Maybe she is also logged it somewhere else? Some desktop browser? Does she waited at least ~10 minutes and checked both regular inbox and spam/bulk e-mail folder on the recovery account?
Even if she is not logged in anywhere else, then maybe there are still some cookies that will mark device as trusted (second factor) and let her use password recovery tool?
Best chance is to wait some time (24h or week? I don't know) then use known device (desktop/laptop/Chromebook browser) on the same IP address that her device was connecting from before. Chances aren't big though...

 

Yeah, she checked that she was signed out of everything she could think of.

I'm not an expert, but I am reasonably savvy with this stuff and I'm stumped.
What really sucks is that she cannot access email, contacts or calendar.
I fear we are at their mercy, with no indication that anything is being done.

I just got more info: she said that submitted the initial account recovery request but it was cancelled because she was still signed in somewhere.

After assuring that she was logged out of everything, Google indicated they were sending another verification code/link to her inaccessible Gmail.

Bob

 

The same thing happened to me. I think I've lost my accounts that I've had for over a decade.
This was always a problem to me because I could never remember what I'd put for recovery questions (mother's name, first pet cat, or whatever. Years ago most people didn't want to put in their real details for Giggle accounts for the sake of privacy and security to a data mining company.. At first these 'free' accounts were not all that important but as the years go on we use these accounts to join things and grow a network of friends, associates etc and then it becomes important to keep the account.
As time has gone on, Giggle has changed various things, presumably to make people more accountable and weed out these accounts that are not (as they see it) in their best interests.
Recenlty they sent out warnings that some security changes were about to occur...regarding pop3 and smtp accounts having to move to auth2 (I think). 'You may lose access to some of your third-party apps'
This has been a nightmare on my older system because I never login to those Google accounts on a webpage as it has been increasingly difficult to login on an older browser or system and thee 'authentication' hoops that you have to jump through are impossible to get through without getting blocked. This is almost impossible to undo when it occurs. The slightest small mistake entering an url and you are lost. Fortunately because I used only smtp and pop3 on my machine I have the data to and from the communication with friends and others.
It is, though, a massive blow and hit me more than I could have imagined psychologically.
I have no valid argument and in a way it is my own fault for jumping on the 'free' ride. The exact same thing occurs with free web hosts when you have engaged and got established and habituated they will dump you and become inaccessible unless you go for the paid account.
I've always resented the onslaught of browser and operating system changes that are not backwards compatible and leave many in the dust just because they wont (or can't) dance to the master's tune.
Often these changes come under some 'security' measure but often you can see that they want you to give more of yourself away and remove any element of independence. Cloud this and Captcha that...it's become like a minefield for those that want real security and privacy and to run a system that they control themselves.
These organisations want to make a 'blanket login' for many services so one login for all and for you to be constantly monitored and accountable to them in all strata. They want your phone number, the colour of your child's eyes, what you are having for dinner, and a million more points of data to expose you to becoming deeper into their clutches. When they want that sort of data which will expose your family, your business, your personal freedom to the danger of being absorbed into this intrusive and pervasive data network.
You must not use an adblock...they want to shove this ***** down your throat whether you like it or not.
I can't find a way out of the recent Giggle gmale thing. It seems intentional that when you try to meet the demands to keep your account the pitfalls will get you. The error messages are curt and final.
I was a member of Hitmail befor Msft bought it out and it was a good email system originally but ruined later.
You could argue, that if I had put true details in these accounts initially and kept my browsers and operating sytems up to date then I wouldn't have a problem. I don't like to give myself, my fasmily and friends and associates away that cheaply.
In response to the original poster on this thread, I believe that your accounts are probably gone for good and civilised dialogue is not an option to free you from your problem. As you said when you enter an artificial intelligence or robotic loop to try to negotiate it to try to keep your account, you are lost without a friendly ear to listen to your explanation, excuses or woes.

 

Why don't you save fake details in a file like a txt file, you don't need to remember through years, easy no?

 

I put my fake details and security questions in my password manager(KeepassXC). You can add notes to each entry so then they're nicely organised with the corresponding account.

 

Same here. Always give fake answers to the questions and keep it all in the password manager of your choice.

 

do you folks think it is safe to acces your login credentials and pw's via your pw manager's website on someone else's / a public device?

 

That was an epic rant!
I agree that things are out of control.
Google does some pretty cool stuff, but the data mining and lack of support stink.

I keep my passwords and additional info on 2 separate password managers.
I provided a manager for my wife and she didn't use it.
That is what caused this mess.

But, I just realized that people don't know the difference between "reset/change password (which implies you know the old password, and will ask for it) and "forgot password" which will use other methods such as a backup email.
That said, this is definitely an issue on Google's side.
We've received another message that account recovery was canceled because she is signed in on a mobile device or computer.

Bob

 

Definitely not.

 

Nope. It could be possible if the password was never visible and there is nothing else logging things but screen captures are reason enough not to. I would not risk it.

 

@XIII @xxJackxx
ok then how am i supposed to log in to my mail account on a publicly accessible device if need be?

 

Linux boot disk.

 

I read recently about someone being locked out if his Google account because an algorithm falsely determined there was illegal material amongst his photos. No way to contact support or get his account back. Years of email, calender, photos etc all gone..

Maybe on a smartphone? It could be both in an Google related app or just device wide somewhere in general settings. Android phones often are closely linked with Google accounts but I've seen this on iPhones as well. I don't really use a Google account, but I have one for Youtube. If I log into the Youtube app on my iPhone, it will automatically log into that account for Google sites in the Safari app as well..

 

That is the neat thing: you don't. It is always not safe.
But if someone must really log in into that then just use 2FA via TOTP or hardware security keys like Yubikey as additional protection and boot from Linux live usb system.
Then when you finally have access to own, private device make sure to sign out from any system and change password.
Giving access to GMail gives eavesdroppers access not only to your e-mail account, but whole Google Account, so they can remotely install and remove apps on owner's Android smartphone.

Back to thread: from my experiences recovery e-mail isn't really used by Google as 2FA or singular way to recover Google Account access. It is more like a notification e-mail that something is being done on your Google Account.
2FA is probably limited to hardware security keys, software TOTP-based keys, Google Authenticator (is it different from TOTP? I don't know) and phone number (sms/voice call).

 

actually that's a gret idea.
...but what if the device in question has no optical drives and/or usb hubs or booting from them is blocked by the sys. admin?

 

thanks but i'll pass. i don't want to get locked out of my accounts like the op of this very thread we're posting in now.

 

If that's the case then move along. You have no idea what is running on someone else's device.

 

ok, thanks. that's a very valid point.

 

@Luxeon does your wife have had 2FA via TOTP configured on this account?

 

Try to prevent that need (use your own smartphone on a cellular network).

 

Another instance where these "free" services should have real Customer Service.

 

I think this is posted in wrong thread. OP's wife didn't remember her passwords, answers to security questions, didn't store recovery codes etc
Could you be really independent if you can't even remember a password? We're adults, for god sake, we're supposed to remember passwords or at least store them safely.

My e-mail is used by my friends and I also gave this address to my bank. In the grand scheme of things I would rather lose access to this account than let someone impersonating me scam my friends or use it to withdraw my money from bank account.

The only thing I can blame Google in this incident is wording around "recovery email". Recovery email is no longer a thing. It is not longer accepted by Google as a significant factor in authentication process.

This thread should be seen as an advertisement for password managers. Especially those not-entirely-reliant on cloud/web services.

 

A somewhat similar recent "horror" story:

https://shkspr.mobi/blog/2022/06/ive-locked-myself-out-of-my-digital-life/

 

I think that despite problems (some very unrealistic like simultaneous thunderstrike on two houses) that are listed here, the backup of passwords, recovery codes and TOTP secrets isn't that hard as you would think after reading it.

I very like this part:

This is the reason why banking security and big tech security practices can't be exactly the same.