If we reason from good faith and consider that this is intentional and not a bug...

vidarh · on Jan 24, 2022

The problem is not really that they do it, but that they don't adequately inform users about this risk and that they fail to offer proper support and alternatives when it gets triggered. If they offered proper support a whole lot of the user despair and anger would disappear.

AnonC · on Jan 24, 2022

I agree to some extent, but also consider that whoever designed this may not be as intelligent or as widely experienced in certain matters as is necessary for the real world.

zenexer · on Jan 24, 2022

I have no doubt it deals with a real threat. That doesn’t change the fact that I’m regularly unable to log into my Google account.

Usually it happens when I’m using multiple devices simultaneously—for example, Android and iOS. It’s understandable that Google considers that to be suspicious, but if Google isn’t going to learn on its own, there needs to be some way for me to confirm that nothing is amiss. It’ll ignore everything from TOTP codes to YubiKeys.

smileybarry · on Jan 24, 2022

I have an opposite anecdote: I moved to iOS but kept my (4-year-old) Android device active, and now I basically hop between a few iOS devices (but just one iPhone) and a Pixel 2 regularly. The only account that appears to dislike that is my work Microsoft 365 account that demanded I reauth all devices a couple times.

Not saying it's not true (I believe you), just that it's not designed to be a suspicious case, at least.

Spooky23 · on Jan 24, 2022

It’s definitely a point that should be made. Typical TOTP tokens are weak MFA in takeover scenarios. Especially considering that people have a bad habit of syncing them between devices.

What a lot of the grumpy posters here probably aren’t mentioning is that many ate probably doing high risk signal stuff like running through public VPNs. Google and Microsoft know a lot about what you are doing and what scammers do. They score risk accordingly.