9

According to the Google information page here: https://support.google.com/accounts/answer/6103523

If you don’t have another second step or forgot your password

Note: 2-Step Verification requires an extra step to prove you own an account. Because of this added security, it can take up to 3-5 business days for Google to make sure it’s you trying to sign in.

Follow the steps to recover your account. You'll be asked some questions to confirm it's your account. Use these tips to answer as best you can.

You may be asked: To enter an email address or phone number where you can be reached. To enter a code sent to your email address or phone number. This code helps make sure you can access that email address or phone number.

This seems to indicate that even if I have two Google Titan keys (two are required for Google's Advanced Protection Program), someone can just fill in a form to claim that the keys are lost, and then gain access if they can intercept access to texts sent to my mobile phone number. This seems to indicate that the attacker can just wait until they think I'm on vacation and not paying attention, and then gain access to my account?

Is there any way to lock the account down so that my cell provider is not the weakest link?

Community
  • 1
knaccc
  • 220
  • 1
  • 5

2 Answers2

2

After all Google decides to recover your account or not. So from a logical stand point you can not lock down the account, because you do not have the ultimate control over the account.

You can answer a lot of security questions and hope that google or the google helpdesk will ask all questions and decide wisely. But after all it is not in your hands.

It does not seem like google would allow to have an account unrecoverable.

So yes, authentication and also two factor authentication is only as good as the processes - in this case the recovery process. And if you have a poor recovery process, then the 2FA is poor, too.

cornelinux
  • 1,993
  • 8
  • 11
1

I have never gone through the process, but from what i can tell this is a last resort recovery option. Google is aware of that threat and probably has ways to mitigate it. That said, the process is fairly opaque as far as i can tell. The 3-5 days seems to indicate they do some sort of manual review, probably call you and try to see if you have knowledge of information on the account. You should try it and see what happens, then let us know.

ScarySpider
  • 1,118
  • 1
  • 6
  • 7