After I deleted my personal google accounts, I was left with work google accounts I would have to maintain.

I have been bitten by this problem more than once, resulting in:

- losing some accounts forever

- losing temporarily access to accounts, preventing me to work for some time

- forcing me to go through recovery procedures with tedious docs and hostile UI, wasting my work time

I eventually found a trick: buy 3 yubikeys, attach each of them to all your accounts, have one on my key ring, one in my desk, one in my bag.

Now, the only thing google ever ask is the yubikey, no matter where I connect from, and I always have one on me. It doesn't require a smarphone, a phone number or an email.

I'm still trying to get rid of as many google accounts as I can, though. Personally, I'm very caution about any dependency on google services, and professionally, adamant to avoid dependency as much as it's reasonably possible.

I used to be a google fan 20 years ago. Between the bad user support, the privacy invasion, the decreasing search quality, the monopolistic practices, the censorship, the DMCA situation, the product cancellations, the term of use / price switcheroo and those shenanigans, they are consistently destroying my faith in them.

But they will not pay the price for it. First, they have enough money to make mistake for a long time without even noticing. Second, they will pull off a Microsoft PR stunt in 15 years, and everybody will forget and forgive.

Somewhat unrelated, but I got one of those Google Titan fobs. The one time I needed it to work - authenticating from a new-to-me- computer - it just... didn't work. I plugged it in and... nothing. No popups, no reaction at all. Thought it was broken, but it worked back on another computer when I tried it later. No idea how that this future is supposed to be better. Perhaps titans are just duds? A couple yubikey-focused friends have used theirs for years, but I wonder if they only talk up their successes, and don't mention the failures?

Yukibey based workflow are finicky. Sometimes, I need to try several times and reload the page or unplug/plug back for it to work. Sometimes, I need to switch key.

It's like arch linux.

Everybody tells there is never a problem with it, because, well, geeks lie.

Doesn't mean it's not useful.

I have a part of the article "Why not tell people to "simply" use pyenv, poetry or anaconda" (https://www.bitecode.dev/p/why-not-tell-people-to-simply-use) talking about this lying problem.

But I probably should make it a separate article, because that's an independent issue in itself.

I use Yubikeys (on my Arch Linux machines..) - only problem I've had was soft-bricking one by entering the wrong password (GPG passphrase) more than my max. (Ironically while setting up another as a spare - with a different password, then mixed them up.)

My company uses these tokens and buys Yubikey or Titans depending on price. They are pretty similar although Yubi has more features (that we don’t use) I don’t recall having a failure over about 3000 devices. Usually the issue is people lose them.

You have to have a system that makes sense to use them successfully. The upthread guy is talking about multiple accounts lost forever, etc. Sounds like a mess.

The same problems exist on other platforms. Ever support challenge response tokens? Lol.

My YubiKey has failed me a number of times. I have had to register it again and again.

Lately there has been less problems but I have no idea why.

The only time I've had frustrations with my yubikeys is not being able to redirect them in some RDP sessions when logging into an account that's wanting a yubikey to authenticate. Otherwise, my keyring one that I use the most (original NFC) is nearing a decade old and never fails.

I use it almost exclusively in Windows and ChromeOS.

> But if you're running a privacy focused browsers

I'm sorry but I was with you until here. if you're going to run a privacy enhanced browser and then complain that it has a privacy enhancing features which result in providers being more cautious because you have privacy enhancing features, then I'm not sure how to help you. I run anti-google adware on my main browsing identity but when sites give me shit I just turn if off and reload.

You have a point, but my complaint is that a service like Google shouldn't work based on a binary choice. You either use a persistent session cookie and you're logged in at all times (even if someone else launches your browser), or your session is 100% untrusted requiring both a password and your phone to confirm its you.

There should be a middle ground. If I'm logging back in 2 minutes later from the same IP, using the same browser on the same is, just ask for the password. Or even better let me choose if I want to use that "phone auth" option in the first place.

>Then the whole "answer some questions" dance starts.

Google literally does provide you with backup codes that they tell you to keep offline available, which is pretty common practice for any 2FA scheme.

I have an account with backup 2fa accounts that I can't get into as Google insist on approving it on a dead phone because my geolocation is different to when I last logged in

What? I've never been given backup codes, nor any notification that such a thing even existed.

I'm pretty sure they've existed since before TOTP was an option (I created mine in 2012, which was before I used any two-factor at least), but you have to go into your account settings to enable them:

https://myaccount.google.com/security

"Backup codes" is in the "How you sign in to Google" section.

It makes you get backup codes when you add a TOTP or webauthn authenticator.

> What if my phone is dead?

You get to have a fresh start at life!

I swear the phone as 2FA is a setting you can actually turn off buried in the account settings