I use a hardware security token to log into my Google account and then use that to log in to several other services. If I were to lose my token, I would still have my backup tokens, and could update this account to use a new token and unenroll the old token.
If instead, every site I had ever logged into kept track of my tokens I would need to visit each of them and do the same thing.
(It's already messier than that because some accounts I have--GitHub and Facebook--don't accept SSO but are important enough to be worth protecting with hardware tokens. But I don't want to go farther in this direction!)
We’re not talking a loss of a hardware authenticator, we’re talking the loss of access to your Google account. Worst case with passkeys is you lose access to the cloud corpus of your keys due to loss of account access while still having them on your device (and/or a passkey manager).
* Securing hardware authenticators is much more within our control than the whims of Google are.
* Most of us aren't ex-Googlers with contacts and reach (which are the only way to get reliable support when one's account does get borked), so that side of the risk is also much higher for normal people than for you.
I read through the links, and there were about 15 posts where people got locked out of their Google account over a 12-year period. Many of these are links to articles on other sites not written by the submitter, but we'll count them anyway. So that's ~1 per year.
According to dang, there are ~100k monthly active logged-in HN users [1]. In a population that size of 25-54 year-old Americans, you'd expect around 290 to die each year [2].
Getting locked out of my Google account is pretty low on my list of things to worry about.
On the other hand, if the yearly amount is so small, a service (a single dedicated human) to fix/reset/correct those issues should be affordable by Google.
This is not specific about Google, a lot of services/apps/whatever like (and it is probably true) to state how they are in practice error-free, at least with account management, yet when this extremely rare event happens there are no (or extremely complex) ways to fix the problem, short of posting to HN or to a social and hope that some good soul working at that company notices the issue and decides to solve it.
If you look through those they are almost all about people forgetting their password or losing whatever they are using for 2FA: that is exactly what I'm worried about!
In my particular case, I am happy with my 2FA setup for Google (three security keys, across multiple locations) so I think that category of lockout is pretty unlikely.
And I've already lost my keys once in my life, about 20 years ago.
What I'm advocating for above is that people get multiple hardware tokens, and keep them in separate safe places. What Doreen is running into is that if you use your phone as your only second factor you have a problem if your phone stops working. I don't see how these are in tension?
I think our expectations are simply out of alignment. What you're advocating for is unreasonable if a loss of hardware tokens means a permanent loss of account access with no recourse, and I don't think that's a hard case to make to legislators and regulators.
What resource can Doreen go to at Google to get access to their accounts if Google’s security algorithm is requiring access to devices or authenticators they no longer have? I’m trying to be reasonable, but all I see is a tech company who enforces strong security practices with no exception handling. Great for Google and keeping costs down from an infosec and customer service perspective, but highly detrimental to those who lose what is very valuable to them (their emails and digital identity), and humans will lose valuable items (including devices, authenticators, and recovery codes) all the time.
I don’t expect for us to solve this here, and I’m sure my perspective will differ substantially from those affiliated with Google or tech professionals in general (who don’t fully internalize the layman’s experience). I do believe I’ve provided sufficient evidence this is a real problem, and it’s likely going to require federal statute or FTC guidance to require tech companies to recalibrate their customer service and infosec ops around access and identity.
Regardless, I appreciate the discourse on this topic.
If instead, every site I had ever logged into kept track of my tokens I would need to visit each of them and do the same thing.
(It's already messier than that because some accounts I have--GitHub and Facebook--don't accept SSO but are important enough to be worth protecting with hardware tokens. But I don't want to go farther in this direction!)