EDIT: You know, after some time to cool off, Google Authenticator 2FA can still be enabled and isn’t being phased out like the less secure SMS 2FA, so it’s really not the end of the world here. The chance of permanent lockout is avoided, even if the whole Google Prompt system is still wack.

  • Chozo
    link
    fedilink
    348 months ago

    I don’t get this. Is this an SMS-based 2FA? If so, I’m not sure that Google has any ability to block that. Your carrier might, though, but that wouldn’t be controlled by your device’s OS. The option being greyed out on a third-party site has little to do with anything happening locally on your device.

    If this is a push-based 2FA, then… yeah, you wiped the device, along with any tokens previously stored on it. This is also why any time you set up 2FA on any service, almost all of them warn you like a million times “If you lose or transfer your device before disabling 2FA, you will lose access to your account” before you complete the process.

    • Extras
      link
      English
      18
      edit-2
      8 months ago

      I can swear google gives you 10 otps to print out when enabling 2fa as well. Also if using totp, backing up your seed would also be an option

      • @orclev@lemmy.world
        link
        fedilink
        English
        278 months ago

        This is different. This is something new google is rolling out. This isn’t SMS and it isn’t TOTP. Google is opting people into push based authentication based solely on them having an android phone associated with their account whether they’re still using that phone or not. Anyone not already using TOTP or WebAuthN should really add those to their accounts before Google decides to “help” you by opting you into their new proprietary 2FA.

          • @Infernal_pizza@lemmy.world
            link
            fedilink
            English
            38 months ago

            Anyone know what the best alternatives to gmail are? I’ve heard mixed things about proton mail and I’m not aware of many others

            • @doctorcrimsonOP
              link
              English
              -1
              edit-2
              8 months ago

              Outside of a private server, I’ve been using Yahoo Mail for like 23 years tbh

    • @doctorcrimsonOP
      link
      English
      12
      edit-2
      8 months ago

      The problem is they are turning OFF the SMS and instead sending a special dialogue to a nonexistent device for the user to hit a prompt. The device was never used, though, and it was never set up for 2FA. My default has always been SMS which they are now disabling.

      • Chozo
        link
        fedilink
        8
        edit-2
        8 months ago

        Deprecating SMS authentication is a good thing, in all honesty. SMS is not a secure form of data transfer, and is trivially intercepted. You can buy and setup an illegal Stingray device relatively easily, and capture basically all wireless data from a phone within range.

        That said, if the device was truly never used for 2FA, then there wouldn’t be any push-based 2FA on the account to begin with. Unless there’s another device that’s been authenticated with your account somewhere, like an old phone. In which case, that’s where your login requests are being pushed to. That’s a setting that can only be enabled by successfully authenticating with a device at least once in the past.

        If there was never any other authenticated device, then that setting on your account isn’t there. Enabling that feature is a two-step process, and step 1 involves configuration on a local device before it can be enabled remotely on your account.

        • @doctorcrimsonOP
          link
          English
          -2
          edit-2
          8 months ago

          SMS could potentially be a secure form of Data Transfer if companies weren’t allowed by limp dinosaur legislators to gut your phone for any useable data with a simple app, but yeah I can see how it’s current state is lackluster.

          You’re wrong, btw, the Google Prompts feature is Default and cannot be turned off.

          • brianorca
            link
            fedilink
            English
            28 months ago

            The SMS vulnerability is not because of your apps. It’s because of the LTE protocol itself. It can be intercepted or redirected without touching your phone.

          • Chozo
            link
            fedilink
            18 months ago

            You’re wrong, btw, the Google Prompts feature is Default and cannot be turned off.

            Only if there’s a previously-authenticated device. That setting can’t be enabled without a key, and one of the required keys is produced locally by a logged-in device (which is why your device is trusted to stay logged in indefinitely). If enabled without a key, it’s nonfunctional and should error itself out and revert to a disabled state.

            If that somehow hasn’t happened (which, in all honesty, would be very surprising to learn) and the setting is enabled on your account, then that’d be something you’d need to submit a request to Google to have fixed, otherwise you have zero recovery on that account.

            Are you a thousand percent sure you’ve never had any other device logged into that Google account? When you attempt to log in, it should show you the device name it’s sending the request to. For instance, when I log into my Gmail from an Incognito window right now, it says to check my Pixel 6 Pro. What’s it saying for you?

            • @doctorcrimsonOP
              link
              English
              18 months ago

              No, I’m telling you, it’s on by default when you purchase a Google Device. It doesn’t need to be set up.

              • Chozo
                link
                fedilink
                -18 months ago

                What device does it say it’s sending the request to?

                • @doctorcrimsonOP
                  link
                  English
                  18 months ago

                  A device. The fact that any device is getting a google prompt and it cannot be disabled is the issue.

  • @skip0110@lemm.ee
    link
    fedilink
    English
    248 months ago

    If you login to the Gmail app on any device, it can also act as 2FA. Does not need to be the one where they send the push…any logged in device will work.

    • @doctorcrimsonOP
      link
      English
      28 months ago

      Yeah thats the problem, you can’t turn it off.

  • @redcalcium@lemmy.institute
    link
    fedilink
    English
    228 months ago

    Last time I login, there is a “try another way” button that allow me to use sms or totp code. Is this not the case for you?

    • Skull giver
      link
      fedilink
      English
      11
      edit-2
      7 months ago

      [This comment has been deleted by an automated system]

    • @doctorcrimsonOP
      link
      English
      2
      edit-2
      8 months ago

      Cool but that doesn’t fix the fact that the default method is one that literally does not function and can result in a permanent lockout. Though, I admit, SMS is way less secure than the Authenticator App.

      • @SameOldInternet@lemmy.world
        link
        fedilink
        English
        18
        edit-2
        8 months ago

        It’s the default because you made it the default. Change your damn security settings Google can’t do that for you! Quick to rant about something without knowing how it works or how you got there is on you and not Google.

        • DreamButt
          link
          fedilink
          English
          28 months ago

          This is Lemmy you can’t expect people to be calm or rational

          • @doctorcrimsonOP
            link
            English
            38 months ago

            Well he’s also just wrong, Google Prompts cannot be disabled.

        • @doctorcrimsonOP
          link
          English
          18 months ago

          They

          Do Not

          Allow you

          To turn off

          Google Prompts Default Option

  • @lobo@lemm.ee
    link
    fedilink
    English
    148 months ago

    something similar happened to me too, account that didnt have 2fa enabled at all suddenly asking for confirmation on a device i just wiped

    it sorted itself after a couple of hours, maybe a bug

  • ka-chow
    link
    fedilink
    English
    108 months ago

    This is like uninstalling Windows, installing Linux, and then blaming Microsoft because a feature you used in Windows doesn’t work in Linux

    • @NRoach44@lemmy.ml
      link
      fedilink
      English
      168 months ago

      No, this is

      • buying a surface from Microsoft
      • immediately wiping it and installing Linux
      • Microsoft then forcing you to authenticate using the device that is only tied to your account via purchase, and NOT login records, AND disabling other forms of auth
    • @doctorcrimsonOP
      link
      English
      128 months ago

      If installing linux was a feature sold to you by Microsoft, and then Microsoft removed the ability for the feature to work on Linux, then that would be accurate.

      • Final Remix
        link
        fedilink
        English
        68 months ago

        I stalling Linux is now a feature from Microsoft. They even rolled out a guide recently.

    • @thepiguy@lemmy.ml
      link
      fedilink
      English
      48 months ago

      It’s like installing Linux, then Microsoft not allowing you to access GitHub from any device.

  • @PM_ME_YOUR_SNDCLOUD@lemmy.world
    link
    fedilink
    English
    78 months ago

    Even if you turned it back at this point, it still wouldn’t work.

    This is pretty infuriating though; Google works just fine with any device that doesn’t run Android so why would they care that you’re running a custom ROM?

    My guess is something less evil and more mundane: something about your number changed in their system and now they can’t send codes to it, which is why it’s grayed out. Maybe it was previously classified as a mobile number but now is classified as a landline.

    Your only option, if you don’t have any backup codes, is to use that “Get Help” option they have that takes a few days and then either start carrying around backup codes, a Yubikey, or De-Google.

    Hey, maybe all 3!

      • brianorca
        link
        fedilink
        English
        18 months ago

        To be fair, customer support is often the way hackers bypass these protections.

        • Skull giver
          link
          fedilink
          English
          1
          edit-2
          7 months ago

          [This comment has been deleted by an automated system]

    • @doctorcrimsonOP
      link
      English
      18 months ago

      As a few people pointed out, it’s only SMS thats being phased out, so using Google Auth is a superior option if you still have access to set it up. But yeah, backup codes would be great for those already locked out by accident.

    • @doctorcrimsonOP
      link
      English
      198 months ago

      I never have and will never ask to use 2FA via the device. This isn’t sown, it’s just crappy design.

      • Square Singer
        link
        fedilink
        English
        78 months ago

        How dare you using the phone in a different way than Google intended! /s

    • @thepiguy@lemmy.ml
      link
      fedilink
      English
      7
      edit-2
      8 months ago

      Using your device to do whatever is op’s right. From reading the post, it seems to me that the problem is that they disable other forms of auth. This is for sure intentional, or at least a low priority bug for obvious reasons. I had the same issue, but it was failing to pull up the menu in my stock nothing phone 1. It got fixed later, but why are my backup emails or phone numbers not being used as other forms of 2fa. That is when I realised that despite my efforts, I have ended up relying on Google too much. In the process of changing that, even if it costs me money to host the servers.

    • @doctorcrimsonOP
      link
      English
      178 months ago

      You actually have to buy the unlocked bootloader version of phones directly from Google, not something the vast majority of people could accomplish on their own. It’s a selling feature they provide so they can cut out middlemen at carrier services like Verizon (either that or Verizon locks it themselves, idk). I feel like if they wanted to detect that a device hasn’t been used in months or years before requiring you use it and only it for 2FA, they could.