Me: logs into google account
Google: we don't recognize you! Authenticate yourself!
Me: here's the account's email, send me a code
Google: sends code
Me: provides google code
Google: sorry, the email address of the account isn't associated w/ the account, so we'll deny
Conversation
a short time later:
Google: WARNING! Someone tried to log into your account, here check your settings
Me: goes to link provided in the email
Google: HAHAAHAHA gotcha, did you really think we'd let you log in to your account after we sent email to the account's email address?
1
3
For some reason, Google thinks it's more secure to ADD a phone number to an existing account, possibly provided by an attacker, than it is to send email to the email address on RECORD for that account. Like, really? This is the security google is known for?
4
1
4
This Tweet is from a suspended account. Learn more
This Tweet is from a suspended account. Learn more
That's not at all accurate for Google accounts. It's also one of the few sites allowing you to only have security keys as the 2nd factor authentication method.
It doesn't force you to have weaker options. Advanced Protection disables weaker options than security keys altogether.
2
If you don't have strong 2-factor authentication then they'll annoy you with weaker attempts at preventing account compromise.
The solution is pairing it with a couple security keys and ideally enabling Advanced Protection if you don't want the customer support backdoors, etc.