Long story short: Google decided that among the multiple second factors in my
account only TOTP is the secure one, and that one stopped working. Therefore I
cannot do some “privileged” operations with the account. Therefore I deem it
out of my control, please do not assume I have access to it and use other ways
to contact me. And don't trust Google and big corporations I guess…
Context
A long time ago, even I had a Google account and used GMail for most of my
stuff. And at that time, I was maybe too eager to enable two factor
authentication on that account using the Google Authenticator TOTP app. I
somehow did everything to be safe: I saved the recovery keys, set up a recovery
phone number, even saved the TOTP secret in my password manager (and I have a
vague memory of reuisng it from there).
That was in the past. I cannot tell precisely, because Google tells me
multiple dates: 2012-08-09 was 2FA enabled, 2016-12-21 was the Authenticator
added, the backup codes have timestamp 2014-10-28 .
Then over time, I both started disliking Google, self-hosting my stuff and
changing devices. That did not matter to me, because I was logged in on my
machines, so I used the 2FA never in my workflow, and the use of the account
has been diminishing over time. I also destroyed a few smartphones, so the
original Authenticator installation does not exist anymore.
More recently, the codes were not working. That did not stop me from logging
in, because it was possible to fall back to a SMS.
Lately, I wasn't even using the account regularly. I just keep it in case
something still keeps around my gmail address .
Too irregularly, it seems. I got the SMS that my account had not been used in
the past year and is going to be deactivated and then deleted.
So I thought: Let me just download my stuff, since we have GDPR.
The lockout
And there really is Google Takeout, which is AFAIK meant for such things. The
only problem: I cannot get to the data.
Let me restate: I know pretty much all the possible information to be able to
get to my account. And I can get to a part of account. What part? The only
definition I have is “the part that does not require Google Authenticator”.
Which apparently does not include: Google Takeout, changing 2FA settings,
getting new recovery codes, adding a backup email address.
Well no but actually yes. I can create the Takeout request, if I select I
want to be informed by gmail. Then I get a link to download the data, but on
attempt to download it I am required to authenticate with TOTP. When choosing
other ways to get the data, I need TOTP right away.
And the dialog is pretty much the same as with “regular” login: password, then
2FA code. Only difference is that in this case, the “More ways to verify” link
under the prompt for TOTP code only allows TOTP code. Not backup code. Not
using backup number. TOTP or go fish.
Funily, the account recovery procedure follows the “regular“ flow. So, if you
steal my phone and can guess my past password (or maybe find it in a leak), you
will get the access to my gmails and whatnot, probably will be able to read
most of the data anyway, but the machine readable exports would be very safe
from you. Great tradeoff!
The result is that I am fairly sure I will not get some of the data. (I could
file an official GDPR request, though I don't have time for that now.)
And I don't really care whether my TOTP codes not working are a
misconfiguration, bad migration sometime, result of a bit flip or malice. The
stupid part is the fact that there really are two methods of logging in,
AFAICT not documented, that I was bitten by.
The take ~~out~~ away: Don't secure your account? Don't trust companies that
fallback methods will work? Fuck Google? 🤷
(This really starts to look like a web log of the random stuff that happen to me :-D)