EDIT: You know, after some time to cool off, Google Authenticator 2FA can still be enabled and isn’t being phased out like the less secure SMS 2FA, so it’s really not the end of the world here. The chance of permanent lockout is avoided, even if the whole Google Prompt system is still wack.
Last time I login, there is a “try another way” button that allow me to use sms or totp code. Is this not the case for you?
I thought the same thing, until I tried to log in over a VPN in an actual other country (not just spoofed GeoIP like most piracy VPNs do).
I clicked “try another way” and got to choose between “notification on your device” and “cancel”.
Google has some kind of fancy security system that will require you to use the highest form of authentication when something fishy is going on. Multiple failed attempts from a foreign IP address on a device resolution you’ve never used before? Gonna hit you with a mandatory device prompt. Login from a browser with an expired session? Probably not even a 2FA prompt.
The idea and implementation are done very well, but Google does lack the customer support infrastructure to resolve issues like “I’m in another country and I dropped my phone”.
You can use Yubikeys or equivalent if you want to always have a way back into your account. Use two for optimal protection against lockout (one primary you use all the time, one stored away safely intended for recovery).
I guess if you’re locked up like OP, you’re basically fucked, right?
Probably. Wouldn’t be surprised if you were equally fucked with Microsoft as well. Faceless tech companies without useful customer support are hell to recover access to. The most reliable way to get any kind of action taken on your behalf is to go through their legal team.
You can also try to make a thread on Orange Reddit where a lot of Googlers/Applers/Microsofters tend to hang out. The process is 1) write a clear blog post with tons of screenshots and submit it 2) get lucky enough to reach the front page 3) gather enough outrage that the comments start complaining about big tech 4) hope that someone over at Google notices and reaches out to you. Also works with Stripe and Cloudflare!
Cool but that doesn’t fix the fact that the default method is one that literally does not function and can result in a permanent lockout. Though, I admit, SMS is way less secure than the Authenticator App.
It’s the default because you made it the default. Change your damn security settings Google can’t do that for you! Quick to rant about something without knowing how it works or how you got there is on you and not Google.