> if you lose them your account is gone

IMO, this is way too extreme for almost everybody. There needs to be some sort of happy medium so that a person who's lost everything they own (e.g., house fire) can get their account back somehow still. Two ideas I had:

1. When you set up your account, provide your legal name, date of birth, and a photo. If you need to reset 2FA, go somewhere in person with a government-issued photo ID (which we already have procedures to replace) that all of the details of match.

2. When you set up your account, provide 5 trusted contacts. If you need to reset 2FA, get 3 of them to agree.

Advanced Protection does have the account recovery. https://landing.google.com/advancedprotection/faq/ It is just very slow as it's a human process. There's very little reason you shouldn't use Advanced Protection, if your account is important enough.

Big caveat being you can no longer use the account to develop things with the Google API or use some third party clients (e.g. rclone).

Which Google API do you mean? I use advanced protection and have developed various things with various Google APIs, I just use a service account with minimal privileges for each thing I'm developing, which is probably best practice anyway. Not sure about rclone but probably it would work fine with a service account too?

It blocks any unverified OAuth app, including the ones you create yourself.

It sounds like you're trying to use APIs with your personal account rather than using a service account though? Again, I use Advanced Protection and I've never encountered the problem you're describing.

I'd just use a dummy account for developing.

>If you need to reset 2FA, go somewhere in person with a government-issued photo ID (which we already have procedures to replace) that all of the details of match.

Very few people are going to want to pay for this labor if the perception of risk of using a free account is as low as it is now.

What about giving people a choice like this to pay for the labor? Either pay $1 per month for your account, and then this service is free for you whenever you need it, or have a free account, but then this service costs you $1000 if you ever need it.

That would be nice, but I imagine there's a perception problem with that.

Simply offering the option would bring the risk to the forefront of people's minds, and once you start exchanging money, lots of other thoughts and liabilities begin to enter.

If it is kept free, then the conversation ends there.

If you choose to opt-in to Advanced Protection, you can keep a backup hardware token somewhere outside of your house.

My concern with that is that if something happened to the off-site token (e.g., ESD damage, or even just random failure over time), I may not realize until I needed it.

If you would like to take advantage of such an option, you are also opting in to taking on an operational burden. That burden is exactly maintaining a set of backup keys and testing them on a regular basis.

And that's why "everyone should just use yubikeys" is never going to happen.

Everyone already pays the same operational burden with their house keys, which are far more difficult to manage for the average person (as they leave the house constantly). It's worked fine for hundreds of years.

If you lose your house keys, you get a lock smith to break into your house for you - your house doesn't become unusable forever more.

If you ever need to have this done, you'll realise how much house keys and door locks for many cases really only stop the opportunistic "pull the handle and see if it opens" attack. If your door has above average security they'll need to drill the lock, but the time I had to call one they could just push a tool through the letter box and break/move the bolt by applying leverage from the "indoor" side.

> If you lose your house keys, you get a lock smith to break into your house for you - your house doesn't become unusable forever more.

Same with 2FA. Just like a Locksmith it's a "human in the loop" situation where you'll need to give identification etc.

The rest of your post isn't relevant it's just about picking door locks.

House keys don't just randomly break the way electronics sometimes do, though.

I would bet that door locks and keys break pretty often. I know I've had many door locks that you had to wiggle just right.

I agree with this, it was my original expectation.

I've always thought the Post Office should offer something like Option #1.

That way you end up with the same issues as we have now with SIM swapping: Post Office employees are not more reliable and not necessarily more careful with their credentials than people who can give you a new SIM card.

The post office does (did?) ID verification for first-time passport applications. I think that’s about as good as you can reasonably expect since it gets you a bona fide, universally-accepted proof of ID that would work anywhere else.

I would bet that the post office employees are a bit less susceptible to the “hurry up and hit your metrics” pressure than someone at the Verizon call center.

In another universe, the Post Office manages the email services, too. Sigh ...

“If you lose your key and are still signed in on one of your devices, visit account.google.com to add or replace a key. Otherwise, submit a request to recover your account. Google may take a few days to verify that it’s you and restore your access.”

I trust that it would be (potentially much) harder than normal, but it still seems to be possible.

I was under the impression you were screwed in that case, thanks for pointing out that I was wrong. It's lot less secure than I thought.

Still sounds like a significant barrier to most phishing attacks.

A little bit. It's mostly a time delay, since the alternatives to verify your identity seem to be a different emailaddress or a phone number and then you're back to square one imo. The phone number is still susceptible to social engineering and the alternative mail likely is too. Ideally I want something where keys gone = account gone. Now a dedicated scammer could still succeed and it sure doesn't provide any real safety for political groups which Google kind of claims it does by using testimonies from politically vulnerable people to "advertise" the Advanced Protection Program. This is a tricky situation though since your adversaries could get your keys and your password and then they control your account without any chance of getting it back, so it's definitely a double edged sword.

> It's mostly a time delay, since the alternatives to verify your identity seem to be a different emailaddress or a phone number and then you're back to square one imo. The phone number is still susceptible to social engineering and the alternative mail likely is too. Ideally I want something where keys gone = account gone.

I can think of options less extreme than keys gone = account gone that are still very secure.

e.g. To enable "Extra Advanced Protection" you have to visit Google HQ in your region, where your DNA is sampled. If you ever need to recover your account, you have to visit Google HQ again for another DNA sample, after which you're provided with account access, in person.

Definitely also a good, but still very extreme option. This might actually be more secure, depending on the threats you have to take into account. It would be possible to retrieve the account after a (physical) hack.

Just showing up in person by itself (with a stored photograph and maybe audio recording) is a pretty high barrier.

> DNA sample

and who's gonna pay for that? Seems pricey and doesn't scale exactly well.

I presume in this scenario you would have multiple keys and multiple backup accounts, so fallback to a likewise secured account is reasonable.

IIRC, Google will stop the "several day process" if you log in at any time.

Oddly enough, Google's Advanced Protection is the gold standard in my opinion, yet Firebase Auth, an Auth-as-a-Service product from Google, only supports SMS as a second factor, which is baffling to me.