This isn't a security flaw, this is incompetency. Google not allowing disabling or altering 2FA after resorting to a backup code is simply bad design.
They could've done the same with any method of authentication. Using a password isn't even enough for Google any more these days, look at Gmail+IMAP.
This is pure incompetency, not a flaw in 2FA. Whatever device this person is on has been flagged insecure enough to need repeated re-authentication of the highest level, locking them in a loop until the recovery mechanisms are exhausted.
Competent support would also have helped. Google doesn't do support for almost all of its customers but in a normal company, a support agent would've been able to help restore the account. Sure, Twitter has shown us that such support can also be a major risk to important or famous people, but that's why Google has a special program you can enable that will lock down security even more.
>Google not allowing disabling or altering 2FA after resorting to a backup code is simply bad design.
You would think that using a backup code would prompt a "Do you want to alter 2FA?" work flow since the user is already at the 2FA has gone wrong point.
I'm sorry, but when you lose control of and access to your data, but someone else has control and access, that is a security flaw. There is no meaningful difference between broken 2FA and ransomware.
They could've done the same with any method of authentication. Using a password isn't even enough for Google any more these days, look at Gmail+IMAP.
This is pure incompetency, not a flaw in 2FA. Whatever device this person is on has been flagged insecure enough to need repeated re-authentication of the highest level, locking them in a loop until the recovery mechanisms are exhausted.
Competent support would also have helped. Google doesn't do support for almost all of its customers but in a normal company, a support agent would've been able to help restore the account. Sure, Twitter has shown us that such support can also be a major risk to important or famous people, but that's why Google has a special program you can enable that will lock down security even more.