This is a bit unrelated to the harder crypto stuff but my mom called me freaking out she couldn’t get into her gmail. It turns out Google auto registered her new android phone with a passkey and made that the default Google login with a confusing passkey based interface (expecting her to know to click the second option to login via password or understand wtf a passkey is was too much IMO).
It turns out when it said “passkey sent to android” the android never got any notification and I couldn’t figure it out after half an hour. You can’t even delete the auto registered passkeys. Nor turn off the default auth flow.
Terrible UX by Google. I’m assuming it’s because her phone is some budget Samsung with a bastardized Android. Trusting those devices on a mass scale to run your auth system was dumb.
No, I'm holding my S21 in my hand, unlocked. About 1/3 of the time, there's no notification. Or it takes five minutes to arrive.
This is only one of many problems I've had with Google recently. I went from haphazardly trying to avoid their products for privacy reasons to now putting max effort into minimizing my Google usage because everything they do is badly broken. I've just spent two weeks getting my business re-listed on Maps after it was flagged for no reason. Impossible to talk to a human. They give you a number to call on every support email, but it's for advertising support who can't do anything about a suspended business account and are very surprised (refuse to believe in fact) that the Google business team gives out their number for support. It took me half an hour of repeating the question in different ways for the Google Ads support woman to admit that there is no way to talk to a human about Google Business.
Welcome to the club. I still have a gmail I use for some family and old friends, and there's a lot of history there, but I generally avoid using it unless it's a throwaway now. And... when dealing with clients, I suggest alternatives to GA, google maps, etc. Occasionally they override me, but I'm helping to get alternatives out there.
12-15 years ago, I was using google pay/wallet/something to accept payments for some projects. They just... rebadged it, changed the terms, etc. I couldn't even figure out what it was being changed to entirely, but, they seemed to not give a shit about orgs like mine who were trying to use their products to conduct business, so I gave up.
I've told my stories to many folks in person; I'll get "oh, you didn't understand abc.." or "that's never happened to me - you must have done something wrong". About a quarter of those people later indicate to me that... yep... they've been hit by some weird google bug or issue or deprecation or abandonment that cost them time/money with no real support options, and they then take steps to get off the google train.
I know I still have a ways to go to get anything critical to my life out of google's way, but every month I get a bit closer.
The problem is, as a small brick and mortar business, there is no alternative to Google Maps. I mean, sure. Technically alternatives exist. But if your customers don't use them, they are meaningless.
Of course we are listed on OpenStreetMap. But my guess is that since we opened, the number of customers we got that way rounds to zero.
Meanwhile, we get delisted from Google Maps and our revenue instantly drops about 70% (we are in a tourist area). It sucks. There's nothing we can do about it except make frustrated posts like this.
Exactly, I'm seriously considering taking my business off google's ecosystem because of the unwanted "we've sent a notification to your phone" confirmation requirement. I could understand if they did that if I suddenly tried to login from the other side of the world, or let's say I always use Linux and suddenly my browser identifies as windows etc. But if you're running a privacy focused browsers (ungoogled chromium) it happens every single time you're trying to authenticate. From the same IP.
What if my phone is dead? What if I lost it and I'm trying to recover location service credentials by sending a password reset to my email and I can't login? Then the whole "answer some questions" dance starts. If a hidden and unaccountable algorithm decides you running ungoogled chromium on Linux is suspicious and you happen to misremember an answer to some question it might ask (what percentage of available storage are you currently using?) good luck gaining access. BTW, I a paying user of Google.
After I deleted my personal google accounts, I was left with work google accounts I would have to maintain.
I have been bitten by this problem more than once, resulting in:
- losing some accounts forever
- losing temporarily access to accounts, preventing me to work for some time
- forcing me to go through recovery procedures with tedious docs and hostile UI, wasting my work time
I eventually found a trick: buy 3 yubikeys, attach each of them to all your accounts, have one on my key ring, one in my desk, one in my bag.
Now, the only thing google ever ask is the yubikey, no matter where I connect from, and I always have one on me. It doesn't require a smarphone, a phone number or an email.
I'm still trying to get rid of as many google accounts as I can, though. Personally, I'm very caution about any dependency on google services, and professionally, adamant to avoid dependency as much as it's reasonably possible.
I used to be a google fan 20 years ago. Between the bad user support, the privacy invasion, the decreasing search quality, the monopolistic practices, the censorship, the DMCA situation, the product cancellations, the term of use / price switcheroo and those shenanigans, they are consistently destroying my faith in them.
But they will not pay the price for it. First, they have enough money to make mistake for a long time without even noticing. Second, they will pull off a Microsoft PR stunt in 15 years, and everybody will forget and forgive.
Somewhat unrelated, but I got one of those Google Titan fobs. The one time I needed it to work - authenticating from a new-to-me- computer - it just... didn't work. I plugged it in and... nothing. No popups, no reaction at all. Thought it was broken, but it worked back on another computer when I tried it later. No idea how that this future is supposed to be better. Perhaps titans are just duds? A couple yubikey-focused friends have used theirs for years, but I wonder if they only talk up their successes, and don't mention the failures?
Yukibey based workflow are finicky. Sometimes, I need to try several times and reload the page or unplug/plug back for it to work. Sometimes, I need to switch key.
It's like arch linux.
Everybody tells there is never a problem with it, because, well, geeks lie.
I use Yubikeys (on my Arch Linux machines..) - only problem I've had was soft-bricking one by entering the wrong password (GPG passphrase) more than my max. (Ironically while setting up another as a spare - with a different password, then mixed them up.)
My company uses these tokens and buys Yubikey or Titans depending on price. They are pretty similar although Yubi has more features (that we don’t use) I don’t recall having a failure over about 3000 devices. Usually the issue is people lose them.
You have to have a system that makes sense to use them successfully. The upthread guy is talking about multiple accounts lost forever, etc. Sounds like a mess.
The same problems exist on other platforms. Ever support challenge response tokens? Lol.
The only time I've had frustrations with my yubikeys is not being able to redirect them in some RDP sessions when logging into an account that's wanting a yubikey to authenticate. Otherwise, my keyring one that I use the most (original NFC) is nearing a decade old and never fails.
I use it almost exclusively in Windows and ChromeOS.
> But if you're running a privacy focused browsers
I'm sorry but I was with you until here. if you're going to run a privacy enhanced browser and then complain that it has a privacy enhancing features which result in providers being more cautious because you have privacy enhancing features, then I'm not sure how to help you. I run anti-google adware on my main browsing identity but when sites give me shit I just turn if off and reload.
You have a point, but my complaint is that a service like Google shouldn't work based on a binary choice. You either use a persistent session cookie and you're logged in at all times (even if someone else launches your browser), or your session is 100% untrusted requiring both a password and your phone to confirm its you.
There should be a middle ground. If I'm logging back in 2 minutes later from the same IP, using the same browser on the same is, just ask for the password. Or even better let me choose if I want to use that "phone auth" option in the first place.
I have an account with backup 2fa accounts that I can't get into as Google insist on approving it on a dead phone because my geolocation is different to when I last logged in
I'm pretty sure they've existed since before TOTP was an option (I created mine in 2012, which was before I used any two-factor at least), but you have to go into your account settings to enable them:
Nit: Passkeys don't get sent to Android. Instead, the Gmail login would ask you to prove you possess the passkey on the Android by scanning a QR code displayed by the browser.
However I totally get your point. The UX is confusing. The terminology is confusing. Even if each step in the UX gives you an explanation of what it does, it's still useless because people are trained to skip the small print with explanation and click the biggest, most colorful button, especially when they are in a hurry. It's a genuinely hard problem for UX design.
The thing is the ergonomics is so much worse than just a password. People that are able to remember secure passwords should be able to use them. A service not offering this option is not going to get used.
We already had some that were proud they have some allegedly superior auth scheme that relied on infrastructure I do not necessarily trust at all.
This sent me over the edge. It forced the realization that Google does not make decisions based on users. I know, I know, obvious - but even though I "knew" that, it had not clicked that obviously they would make decisions BAD for users. Google makes money from advertisers. They provide just enough service to users that does not send them away. And just enough to keep competitors at bay. As long as users don't leave they don't really care -they don't have to care.
This is the way it is. If we want something different we need services not paid for by advertisers. (And no. While google exploits users one way, apple does another. Picking your poison is not a choice).
To be fair, this is really just Google being idiotic with their product UX and has nothing to do with passkeys. I think most anybody would be confused if Google randomly changed their login UX to something users aren’t familiar with.
Yep, this is how Comcast is for me. I never get the notification for the "registered device" even though it's a newish popular phone. I don't trust passkey because It relies on a certain device, instead of something you can just write down or save to a browser use on multiple devices.
If I lose my phone, I can't get into my email to do anything else.
It turns out when it said “passkey sent to android” the android never got any notification and I couldn’t figure it out after half an hour. You can’t even delete the auto registered passkeys. Nor turn off the default auth flow.
Terrible UX by Google. I’m assuming it’s because her phone is some budget Samsung with a bastardized Android. Trusting those devices on a mass scale to run your auth system was dumb.