Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I've also noticed that there's something very surprising about how Google has implemented their 2FA. When I log into Gmail from a new computer, it does not text me an authentication code and then lock me out of the account until I enter the code. Instead it lets me into my account immediately with only a password, and then sends my phone a notification that someone has logged in from a new computer. Ignoring this notification has no consequence for the logged-in computer. Convenient indeed, but this is really not how I expect 2FA to work, and does nothing to prevent an attacker from reading the contents of your emails or sending fraudulent emails with nothing but a password.


That's not how Google 2FA works; you seem to have misconfigured something. When you actually have 2FA on (like I do), you must enter your one-time code after entering the correct password.


If I've misconfigured something, then it's news to me as to how. I've received 2FA texts from Google before, so I know that it used to work as expected, and I haven't been in my account settings for over a year. If something on my account has changed, then it's been out from under my feet without my understanding as to how.


Uhh, are you sure? I've never seen it behave this way and that doesn't make sense. Can anyone else corroborate this?

Normally after you enter your password it immediately asks for the 2FA authentication code. There's only one button and that's to verify the code. If you try to go to gmail.com before entering that code it will make you start the entire authentication process over again.


I can confirm that that's what happens to your account when you dont have 2FA enabled. Can you double check your settings?


I'm on mobile right now, and I don't see a way to check 2FA status from within the Gmail app. I can confirm that I've had it set up correctly before, as I've received an authentication code from Google as recently as September 28.


You should be able to visit https://myaccount.google.com in a mobile browser to check your 2FA setting.


Aha, thanks, that does indeed say that 2FA is disabled. But I'm seriously baffled as to how it became disabled, as I absolutely enabled it previously and have been receiving 2FA verification codes via text since at least May 2015. Is there some way of accidentally disabling 2FA for Google accounts? I haven't gotten a new phone for years, and I've made no other changes to my Google account for as long.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: