A bug in Google 2-step verification

Having pulled my hair out for a few hours yesterday while on chat with a half dozen Google reps, I thought the hair loss might be partially redeemed by sharing my story in case it helps anyone.

I have a Google account I created just for my Nest Doorbell. I forget what horror stories I heard years back, but it convinced me it was wise to keep that data separate from my main Google account. And my Nest Aware subscription was due for renewal and I wanted to make some changes to it. And to do so, they needed to authenticate me. So they sent me an email.

The problem is, I don’t use that email box. So I had to set it up quickly. But to set it up, they needed to authenticate me with 2-step verification. And the second verification step they kept insisting on using was that I needed to open the YouTube app on my iPhone and tap some notification.

Well, my YouTube app is not configured for this Nest Google account and it never was. But I played along and tried to add my Nest Google account to my YouTube app. And when I tried, it naturally didn’t trust me there either, and so it again required 2-step verification. And so guess what it asked me to do?



That’s right.

From within the YouTube app on my iPhone, it has popped up a web browser where I’m authenticating, and it asked me to open the YouTube app on my iPhone to perform the second step of the verification! But I’m already in said app! And so not only am I incapable of navigating with this modal screen up, that app is (still) not logged in as me and so will never see the notification they try to send to it.

I’m in a catch-22 situation. Google knows what apps I have installed and where and to which accounts, and it clearly is ignoring that data or otherwise getting it wrong. It’s requiring a second step that I don’t have.

You’ll note the “try another way” option at the bottom of the last screen shot. That brings up some options including sending an SMS text to my cell phone. Perfect! But that option is disabled because there is a more secure method available. :man_facepalming:t2: Of course, the secure method they’re referring to is the one that I mentioned above, making this nothing more than a cruel trap.

It took Google way too long to figure this out. But the screenshots I posted above are the ones I showed them to convince them of my
debacle.

Ultimately, I got in. I don’t know if they pressed a button behind the scenes or not, but they sent me to:

g.co/recover

which did ultimately get me in using an SMS.

Crucially, under the security tab on that website, I then let it generate a set of 10 backup codes that I have tucked into 1Password which can be used as alternatives to the second verification step.

I did also configure the mailbox on my Mac for future reference. And the only way I was able to do that was by burning one of these new backup codes.

So. There you go.

Now, wouldn’t it have been cool if Google could have used all their fancy AI and authenticated me by letting me stare into my Nest Doorbell and sing them a song?? :sunglasses:

I set up Google authenticator years ago for several Google accounts and it drives me crazy that they still insist on using this verification with one of their mobile apps rather than authenticator. I hate this change.

1 Like

Interesting! They do say I can add Google Authenticator as an alternative method. But you’re saying you did that, and it still forces you to opening a mobile app?

I would think that, in that case, the “Try another method” would let you choose Google Authenticator? No?

1 Like

I want the default to be use the authenticator. I think if I tap/click another method it will let me use authenticator, but that’s just another tap/click. The last I checked you couldn’t set it that way (make authenticator the default.)

2 Likes