



For example, let’s say you’re using a Google account as the root of your online identities, such as Gmail, Fi, Sign in with Google, or Google’s password manager. ? Should I do something else instead?

To get an idea of ​​how common lockouts are and how they occur, I looked at the lockout reports on Hacker News and searched for:

[google

blocked account] When [google

locked out]We looked at top-level stories and comments on them about cases where people were permanently locked out of their accounts. We did not include cases where only some Google services (Payments, AdWords, etc.) became inaccessible or gained access on their own. However, I counted the cases it took to generate a lot of hype on HN and Twitter.

There are two reasons why people seem to get locked out.

Security Lockout: They are not sure you are you and are trying to prevent attackers from breaking into your account.

Policy Lockout: They don’t like you. They flagged your account for fraudulent activity and have permanently suspended it.

Dating back to 2008, we found 32 cases (sheets). We found 22 security lockouts, 7 policy lockouts, and 3 with too few details. I think this is likely a gross underestimation of security lockouts compared to policy lockouts. Reading the comments, many of the security lockouts were like “it happened to me”, but policy lockouts became mainstream news stories. [1]

With security lockouts, if you can find out what happened, the most common reason is that someone configured a backup method (phone number, recovery email, 2FA) but is no longer accessible. The second most common is when someone didn’t set up a backup method and Google considered the login suspicious.

Security lockouts are tricky situations because failure in either direction is very bad. All of the above are false positives. Someone who should have been returned to your account but was not. But there are also false negatives. If an attacker breaks into someone’s account.

However, I doubt if Google should flag suspicious logins. If my account is only password protected and someone else gets it, should Google allow them? The question is, this means many accounts get hacked. . Passwords are commonly revealed through phishing and cross-site password reuse. Using other aspects of login, such as country, device, activity patterns, etc. as a kind of pseudo-2FA would probably improve the overall user experience. If you suddenly see my username and password from a new device in Russia, there is a good chance that someone is actually trying to hack me. Fortunately, users have better options. Better to set up his 2FA and opt for tighter security. The more ways you can prove that you really are, the lower your risk of both being hacked and locked out.

After checking these things, I think the chances of a security lockout are low enough that you don’t need to worry if:

Don’t just memorize your password, write it down and keep it in a safe place. This is also worth doing if someone wants to be able to access their account immediately when something happens (inactive her account her manager is also valid, but with a significant delay).

Configure the backup method (phone, email).

If your backup method changes, please update it immediately. You can check your configuration at myaccount.google.com/security.

Ideally, set up security keys for two-factor authentication, and if you set up three (work, home, keychain, or phone).

But what about policy lockout? I think the risk is also very low. Even if it didn’t happen to someone who was previously famous, it’s rare enough to be newsworthy when it does. We won’t take pictures of you), but other than that, you don’t have to worry.

Even if the risk is low, wouldn’t it be better to switch to something even less risky? The problem is that security and policy lockouts can be seen in any service. For example, in HN discussions he often recommends Fastmail and Protonmail, but they also had problems (FM: 2017, 2020, 2022, PM: 2018, 2019, 2021). It doesn’t sound like low risk, especially considering that these are much smaller services. Any system should handle this kind of problem, and you can’t find one that is completely free of false positives.

This is not to say that these companies cannot do well here. Without the wrath when they make bad calls, I think you’d be somewhat less invested in trying to make good calls. The move makes sense. However, after reviewing the reports above, I am satisfied with the level of risk involved in keeping my Gmail account as primary.

(Disclosure: I’m not affiliated with this, but worked for Google.)

[1] This comparison ignores the “true positive” lockouts where someone is correctly denied access to an account. This includes both true positive security lockouts (preventing others from accessing your account) and true positive policy lockouts (someone loses their account due to legitimate misconduct such as outright spam). It is included. Both of these can be present in large amounts and their relative frequencies are of minor importance.

