This isn't a security flaw, this is incompetency. Google not allowing disabling or altering 2FA after resorting to a backup code is simply bad design.

They could've done the same with any method of authentication. Using a password isn't even enough for Google any more these days, look at Gmail+IMAP.

This is pure incompetency, not a flaw in 2FA. Whatever device this person is on has been flagged insecure enough to need repeated re-authentication of the highest level, locking them in a loop until the recovery mechanisms are exhausted.

Competent support would also have helped. Google doesn't do support for almost all of its customers but in a normal company, a support agent would've been able to help restore the account. Sure, Twitter has shown us that such support can also be a major risk to important or famous people, but that's why Google has a special program you can enable that will lock down security even more.

>Google not allowing disabling or altering 2FA after resorting to a backup code is simply bad design.

You would think that using a backup code would prompt a "Do you want to alter 2FA?" work flow since the user is already at the 2FA has gone wrong point.

I'm sorry, but when you lose control of and access to your data, but someone else has control and access, that is a security flaw. There is no meaningful difference between broken 2FA and ransomware.

Competently administering 2FA essentially requires human intervention to handle the "I lost all my credentials" case because it will happen with probability 1 eventually. Workplaces can do this because you can call IT and have an already established identity based in the real world.

100%. I've never had any issues with IRL 2FA. If I lose or damage my CAC card I can go to the ID card office with a different photo ID and get a new one with new certificates and set a new PIN. My old certificates will be revoked.

But that's not what's currently popular. What's currently popular is just to check a box with some poorly thought-out system and screw anyone who ever loses their phone number or 2FA device. That's dangerous and unprofessional.

The problem with this is that we are talking about pseudo-anonymous signup for websites. They can't go back and verify the credentials you used to create the account because you didn't provide any. But if this is the case then the help desk is a major security vulnerability, since just anybody can claim to be you and take over your account. The help desk has little to no way to actually verify your identity.

At the very least if the helpdesk does reset your account, there should be a 48 hour lockout and a message sent to the account allowing the owner to dispute the change. Yes it is inconvenient in cases where the actual owner lost all of their login credentials, but this is hopefully rare.

Passwordless is going to make this even worse - there's no migration path (yet) from platform ecosystems to each other. I've not seen any serious progress on how to switch from Apple to Google, which doesn't involve doing things one by one, site by site.

And more to the point, a way of handling "I've lost my phone and had to buy a new cheap one" seems to be a potentially problematic edge case. Bootstrapping trust and authentication for end users without any physical token is hard, but seems necessary, especially for non technical end users, for whom password reset processes might even be the default route of access.

2FA is any two of what you know, what you have, or who you are.

It would be so easy to have a Google Android/iOS app that lets you take a photo of a credit card matching a payment method from the Play Store or one of Google's paid services. That proves something you have in addition to your password.

Though, TBH, Amazon is probably in the best position to solve this problem. They have payment methods and they have physical presence everywhere. Companies like Google or whomever could hook into an Amazon API to verify identity with a one-time recovery code.

How do you get the recovery code? You show up at Whole Foods or Kohls or eventually even to an Amazon Hub Locker and prove your identity with a photo ID card. You're then provided a recovery code linked to one of your full legal name, an e-mail you've already had registered with your Amazon account, a phone number you've already had registered with your Amazon account, or a credit card number you've already had registered with your Amazon account.

A service that knows one of those things about you can then be recovered by submitting the key and selecting the link modality. (Keys submitted with the wrong link modality should be invalidated, obviously.)