Review

Let's say you use a Google account as the root of your online identity: Gmail, Fi, "Sign in with Google", Google's password manager, etc. How much should you be worried that you'll suddenly find yourself unable to get into everything? Should you do something else instead?

To get a sense of how common lockouts are and how they happen I looked through lockout reports on Hacker News by searching for [google blocked account] and [google locked out]. I looked at top-level stories and the comments on them for cases where people were entirely locked out of an account; I didn't include cases where people lost access to only some Google services (Payments, AdWords, etc) or where they did get back in on their own. I did count cases where it took making a lot of noise on HN or Twitter, though.

There are two reasons people seem to get locked out:

  • Security lockouts: they're not convinced you're you, and are trying to prevent an attacker from getting into your account.

  • Policy lockouts: they don't like you. They've flagged your account as abusive, enough that they completely suspend your account.

I found 32 cases (sheet), going back to 2008. I found 22 security lockouts, 7 policy lockouts, and 3 with too few details to tell. I think this likely majorly undercounts security lockouts relative to policy ones: reading the comments, a lot of the security ones were like "that happened to me too" while the policy ones got mainstream news articles. [1]

With the security lockouts, in cases where you could tell what had happened the most common reason was that someone had configured a backup method (phone number, recovery email, 2FA) but no longer had access. The second most common were cases where someone hadn't configured any backup methods and Google was considering their login to be suspicious.

Security lockouts are a tricky situation because failures in either direction are very bad. All of the above are false positives: people who should have been let back into their accounts but weren't. But there are also false negatives: cases where an attacker was let into someone's account.

There is a question of whether Google should be flagging suspicious logins at all, though. If my account were protected only by a password and someone else got it, maybe Google should just let them in? The problem is that this would mean lots of hacked accounts: it's common for passwords to get revealed through phishing or cross-site password reuse. Using other aspects of your login, like your country, device, activity pattern, etc. as a kind of pseudo-2FA probably does make things better for users overall: if my username and password suddenly appeared from a new device in Russia there really is a good chance that it's someone trying to hack me. Luckily, users have a better option: opting into tighter security by setting up good 2FA. The more ways you can demonstrate that you are actually you, the lower the risk both of hacks and lockouts.

After going through these, it seems to me that the likelihood of a security lockout is low enough not to worry about if you:

  • In addition to memorizing your password, write it down and store it in a safe place. This is also worth doing if there's someone you want to have access to the account immediately if something happens to you (the Inactive Account Manager is also good, but it reasonably has a substantial delay).

  • Configure backup methods (phone, email).

  • Update backup methods promptly when they change. You can see what you have configured at myaccount.google.com/security.

  • Ideally, set up security keys for two-factor authentication, and if you do set up three (work, home, keychain or phone).

What about the policy lockouts, though? I think the risk there is also very low: these are rare enough to be newsworthy when they happen, even if they don't happen to anyone previously well-known. I put a little effort into avoiding grey areas (not filing chargebacks to Google, not taking pictures of my kids in the bath) but otherwise don't worry about this.

Even if the risk is low, however, maybe it would still be better to switch to something else that is even lower risk? The problem is that security and policy lockouts are something you can find with any service. For example, in HN discussions people will often recommend Fastmail or Protonmail, but they've had their problems too (FM: 2017, 2020, 2022, PM: 2018, 2019, 2021). Especially given that these are much smaller services I'm not convinced that the risk is lower there. Any system is going to have to handle this sort of problem, and you're not going to find one that never has false positives.

This is not to say these companies can't do better here: without the outrage when they make a bad call I expect they would invest somewhat less in trying to make good calls. And if a provider does give a consistently worse experience than other options migrating makes sense. But after looking through the reports above I'm comfortable with the level of risk involved in keeping my Gmail account as primary.

(Disclosure: I used to work at Google, though not on anything related to this.)


[1] In this comparison I'm ignoring "true positive" lockouts where someone was correctly denied access to an account. This includes both true positive security lockouts (where someone else is prohibited from getting into your account) and true positive policy lockouts (where someone loses their account for legitimately abusive behavior like blatant spamming). There are likely tons of both of these, and their relative frequency isn't very important.

Comment via: facebook, mastodon

New Comment
12 comments, sorted by Click to highlight new comments since:
[-]Shmi177

Hmm, I guess not putting all your eggs in one Google basket might be a way to reduce risk. Things like using a custom, not @gmail.com primary email, something you can easily move to another provider, keeping a locally decipherable copy of your passwords, avoid "sign in with Google" (probably not a good idea in general, anyway), autoforwarding your emails to another account, saving other important information, like Google Photos and Google Drive locally... Of course this introduces more security issues, and takes an effort, so it is a bit of a balance.

avoid "sign in with Google" (probably not a good idea in general, anyway)

Why? A security system where I demonstrate my identity clearly to one party I trust (using password + security key) and then they authenticate me to other sites (sign in with Provider) is a lot better than having accounts on each of these sites where either (a) they're just a password -- risky or (b) I have to visit the site to re-enroll security keys if I lose+replace one.

I guess my personal aversion to signing up with google is that you give your real name to a service you might not want to know your real name and everything else associated with it. It might be that google only authenticates you without passing any other information to the provider, but this is not at all clear to me, even if so, and I would probably need to trust an advertising company to act against their best interests.

I agree you can reduce risk that way, if you put some thought in it, but my main point with this post is that the risk is low and so efforts to reduce it may not be worth it.

First, you didn't really convince me that the risk is sufficiently low. Imagine estimating any other kind of problem by "how many people complain about it in news"; your estimate would probably be a few orders of magnitude lower than reality. Out of 100 people who lose access to their Google accounts, how many read Hacker News, and how many will make a post about it? Probably fewer than one.

Also, the risk is not distributed uniformly: people who use the computer more often, or in ways more diverse than reading social networks, are probably in greater risk of triggering something or someone. So even if the risk is negligible for the average GMail user, it may not be negligible for someone more exposed. In general, I would expect professors to be at greater risk than students, and IT people to be at greater risk than non-IT people.

Second, things change, the risk may be low today, but what about 10 years later? If I set up things today to use "sign in with Google", I will probably procrastinate on changing that even if I notice some warning signs.

Out of 100 people who lose access to their Google accounts, how many read Hacker News, and how many will make a post about it? Probably fewer than one.

For the security lockouts, which were almost all people posting about their own experience, the denominator would be HN readers, not all Google account holders, no?

For policy lockouts, it looks to me like HN is casting a wider net, but even if you figures of denominator is just HN users it's still very rare.

the risk is not distributed uniformly ... I would expect professors to be at greater risk than students, and IT people to be at greater risk than non-IT people.

I do think IT people are at somewhat higher risk than typical: many of the security lockouts were from people who used TOR, always clear cookies, or do other unusual technical things. But to figure out how likely this was I went by HN, and if IT people are at elevated risk then they would be overrepresented in my sample as well.

I'm not clear on why you would expect professors to have higher risk than students?

things change, the risk may be low today, but what about 10 years later? If I set up things today to use "sign in with Google", I will probably procrastinate on changing that even if I notice some warning signs.

I do think that could happen, but I think it's much more likely to change in the direction of fewer lockouts than more:

  • Security lockouts should decrease as deployment and understanding of hardware tokens increase.

  • Policy lockouts should decrease because they represent a mismatch between what Google (and it's automated systems) think is acceptable use and what a user does: for the ones where I could find details, they were generally gray areas. This sort of thing tends to become less gray over time as the company communicates more about where they are drawing their line.

I'm not clear on why you would expect professors to have higher risk than students?

How many people know you by name and may have a reason to be angry at you. How likely you are to become a target of a coordinated attack. (They may either try to get you cancelled, or try to hack your account which may be misinterpreted by some algorithm as you doing something suspicious.)

Edit: I've expanded this into a full post.

Three related concepts.

  • On redundancy: "two is one, one is none". It's best to have copies of critical things in case they break or go missing, e.g. an extra cell phone.
  • On authentication: "something you know, have, and are". These are three categories of ways you can authenticate yourself.
    • Something you know: password, PIN
    • Something you have: key, phone with 2FA keys, YubiKey
    • Something you are: fingerprint, facial scan, retina scan
  • On backups: the "3-2-1" strategy.
    • Maintain 3 copies of your data:
    • 2 on-site but on different media (e.g. on your laptop and on an external drive) and
    • 1 off-site (e.g. in the cloud).

Inspired by these concepts, I propose the "2/3" model for authentication:

Maintain at least three ways you can access a system (something you have, know, and are). If you can authenticate yourself using at least 2 out of the 3 ways, you're allowed to access the system.

This prevents both false positives (hackers need to breach at least two methods of authentication) and false negatives (you don't have to prove yourself using all methods). It provides redundancy on both fronts.

"compared to what" is the important question for this kind of analysis. I currently have Google hosting e-mail for my domain (and as of last year, I'm paying for it).  I've considered moving it to save money, and currently laziness is winning over frugality.  I suspect security would go down if I used a free provider, and both convenience and security down if I self-hosted (as I did this for many years, but not as well as Google).

Also consider your phone identity, separately from your e-mail.  Using GFi means your UI is tied to Google, but there are annoying old-school telecom infrastructure behind it that may make it more vulnerable than your e-mail account.  I'm not sure there's much you can do about it beyond "prefer hardware or app 2FA over SMS, and prefer e-mail account identity over phone number".

In addition to memorizing your password, write it down and store it in a safe place. This is also worth doing if there's someone you want to have access to the account immediately if something happens to you (the Inactive Account Manager is also good, but it reasonably has a substantial delay).

Depending on your thread model it might be worth writing it down in a way that simply discovering the piece of paper is not enough to hack you. 

Here's another one: HN

In this case, it looks like a security lockout, where the poster has 2fa enabled with a phone number they migrated away from in 2022.

[-]jmh20

I suppose it might be due to many situations (employer or ISP for example) but I never hear anyone suggesting anonymizing the logon account you use, and even to some extent "randomizing" the logon. Just like with a password, don't use values that might be easily guessed by someone, don't use a logon value that someone would expect.