Me: logs into google account
Google: we don't recognize you! Authenticate yourself!
Me: here's the account's email, send me a code
Google: sends code
Me: provides google code
Google: sorry, the email address of the account isn't associated w/ the account, so we'll deny
Conversation
a short time later:
Google: WARNING! Someone tried to log into your account, here check your settings
Me: goes to link provided in the email
Google: HAHAAHAHA gotcha, did you really think we'd let you log in to your account after we sent email to the account's email address?
1
3
For some reason, Google thinks it's more secure to ADD a phone number to an existing account, possibly provided by an attacker, than it is to send email to the email address on RECORD for that account. Like, really? This is the security google is known for?
4
1
4
This Tweet is from a suspended account. Learn more
This Tweet is from a suspended account. Learn more
That's not at all accurate for Google accounts. It's also one of the few sites allowing you to only have security keys as the 2nd factor authentication method.
It doesn't force you to have weaker options. Advanced Protection disables weaker options than security keys altogether.
2
This Tweet is from a suspended account. Learn more
If you're technical and don't want to have customer support able to recover the account for you then landing.google.com/advancedprotec is the best way to enable 2-factor authentication. You need to have at least 2 security keys and can't use other weaker 2 factor authentication methods.
2
Before I had Advanced Protection enabled, I had 2FA enabled and I've never had SMS recovery or SMS as a 2FA method for my account.
The normal UI seems partly aimed at minimizing their customer support burden and the frequency of needing to bypass account security for people.
I think the only other site I use which allows me to have security keys as the only 2FA method is OVH.
I can't see the regular UI for my Google account due to Advanced Protection. There's only a page for adding security keys, no cross-device authorization, no app passwords, etc.