I should have written this post six months ago when it happened, but better late than never eh?
Thanks to the recent Wired article about the hacking of Mat Honan’s Amazon, Apple, Google and Twitter accounts I’ve noticed people saying they are turning on Google’s two step verification process. The purpose of this post is NOT to tell you not to use it but just some words of caution.
If you’re not familiar with two-step verification and how it works here’s a handy video.
Now for the rest of the story!
As a frequent travel and user of free wi-fi I activated Google two-step verification process a couple of years ago.
It was a little time intensive setting up (generating all those specific passwords for devices or services) but I felt totally worth it for the extra security it gave me. The app on my android phone was easy to use and since I am NEVER without my phone, always there when I needed it.
Then in January a series of events culminated in the “perfect storm” that led to a nightmare of trying to regain access to my Google account. Like Honan I will freely admit some of these are my fault, though not from major neglect or arrogance but rather life being life means these sorts of things occur occasionally.
First, my Android phone had some serious problems and in attempt to fix it a complete reset was done, deleting my Google Authenticator app. In order to install it I need to generate a code from my Google account on the computer to authenticate it was me. Except. I needed a code from the App to enter on the computer to verify it was me. Begin endless cycle. Uh Oh.
I have several devices connected/signed into my Google account – the phone, my iPad, my desktop computer and my netbook. This caused more problems.
When you sign up for authenticator you are given a series of preset codes for just this purpose and told to guard them with your life. I had them printed and safely put away and knew exactly where they were. That is until I moved a few weeks prior. I hadn’t finished unpacking yet and I had NO idea what box this tiny, yet oh so important piece of paper was squirreled away in.
No big deal, I thought, I’m still signed in on the desktop thanks to a cookie. The iPad works. The phone doesn’t work but not the end of the world, but uh oh the Netbook doesn’t work and I’m getting ready to leave for a professional trip Texas for ALA MW. I can’t get into Google Docs on the iPad because it prompts me for a code from the app. I can’t get into some Google services on the Desktop because they prompt me for a code from the app.
Ok I’ll tell Google I need to reset. I have two options the first get a text on my cell. Great! Except. It was an old cell number, remember I just moved, so that wasn’t going to work. It’s also worth noting at this point that even when I did regain access to my account I could not figure out how to update my mobile number.
So I thought, ok I’ll use my back up email address.
Here’s how that process works. For the record it was a BRUTAL reminder that as far as Google is concerned I am not a customer. I am not paying for a product I do not have the normal recourses a paying customer might and I’m not Robert Scoble so my social media efforts at getting help were ignored.
I clicked the link indicating I need to remove two-step verification from my account. About 24 hours later I got an automatic email at my back up account saying that my request had been received and that someone was working on it. In about another 24 hours I’d get an email saying this
Hello,
We’re glad to see our records indicate that you were able to sign in to your XXXXXXXX@gmail.com account!
Since you recently added 2-step verification to your account, you might have trouble accessing your account using a mobile device, installed chat clients such as Google Talk, or email clients such as Outlook and Thunderbird. To allow them to access your account, you need to sign in to them using an application-specific password. Here’s how:
http://www.google.com/support/accounts/bin/static.py?page=guide.cs&guide=1056283&topic=1056286If you’re still having trouble signing in to web-based Google services, such as Gmail and Docs, reply to this message and we’ll be happy to assist you.
Remember how I could still access my email and calendar on my iPad? Yeah apparently since I was able to do that it would flag that I was back in. I replied to the message saying as politey as possible what happened and that NO I was not back in. Nothing happened. No answer. I waited another day. I did the reset option again, again with the same explanation. I got the same form emails. I replied. I received no response. My email record shows this went on for over a week.
At one point I actually tracked down a number for Google and called them. There was no way for them to help me. At this point I would have gladly thrown money at them to fix the problem but that wasn’t an option. In fact, the fact that it isn’t an option to have “pro” account started me wondering exactly what Google was getting from our relationship because they clearly don’t want my cash but they are sure giving me a lot of services for “free”, but that’s a dark road and one best explored in a different post.
I finally gained access to my account. I considered changing email providers after this, even to one I had to pay for but never found a good option. I’ve also since found the codes in a box and managed to update my phone number with Google.
Like I said this isn’t meant to encourage you not to use two-step verification, but to be cautious. And remember that if you’re not paying for it, you’re not a customer.
Read More
- Strong Passwords Aren’t Enough: How to to Ensure the Apple and Amazon Exploit Never Happens to You
- Set Up Google’s Two-Step Verification Now for Seriously Enhanced Security for Your Google Account
- Turn On Gmail’s ‘2-Step Verification.’ Now.
- Google’s Matt Cutts urges users to adopt 2-step authentication in aftermath of ‘Epic hacking’ incident
- This Is The Best Way To Make Sure Your Gmail Password Stays Safe
- No excuses: It’s time to turn on two-step authentication
- Google’s head of webspam demystifies two-step authentication in wake of recent security breach
- Why You Should Use Google’s Two-Step Login
- Google is rolling out two-step verification for all accounts
Leave a comment