This comment does raise a serious concern. The primary reason why cell phone numbers are bad for 2FA is sim swapping, which can only occur because there is a customer support rep who can fall for it. Email is largely immune to that right now because customer support generally cannot let you into an account you locked yourself out of.
This isn't to say that this is an unsolvable problem, it's not, but it's definitely worth talking about.
I'd like to see the Post Office (in the US) get involved.
Post offices are geographically ubiquitous, already deal with identity verification, and already have to maintain the trustworthiness of their workforce.
I'd like to see a system where (a) an account [whether GMail, Facebook, Schwab or Bob's Online Pet Food Mart] can be tied to a real-world identity and (b) when you lose access, you can go to the local post office to verify your identity and get a one-time recovery token for a given account.
If the US weren't pathologically schizophrenic about actually providing service to citizens, the post office would
(a) still be a government agency, not a wholly-owned subsidiary,
(b) already provide email via government servers and clients in kiosks at the post office (and the personnel to staff the service and handle high-touch troubleshooting) instead of relying on private corporations and organizations to be the sole providers of what has become a necessary service, and
(c) provide basic banking services, knee-capping the payday lending and check-cashing industries.
Google already has the ability to generate one time use recovery codes, at least for gmail accounts -- not sure if it is generally integrated into their Authenticator app. You could generate some recovery codes and put them in a safe deposit box or something I guess.
This sort of solution (and your post office idea) can be, but they don't satisfy the last resort customer service role, for people who haven't set these kinds of recovery options up.
This IS the reply Shelley Rosen needs to see, understand and impart to her patrons. It does not cost anything, it is secure and it works.
I feel 2FA is a class libraries should be teaching. I am off to my local library to volunteer as a resource for that specific purpose. Anybody going to join me at their local library?
I was going to make the recovery code comment myself, but instead I did a search to see if anyone else had done so.
Kudos. If would vote this comment to the top of the discussion if I only could. IMO it should be (part of) a PSA.
This is all well and good if you've got a smartphone with Google's authenticator or have a safe deposit box. The people using a library for Internet access don't necessarily have access to either of those things. They also may have had access at some point in the past but no longer do.
I understand, and agree with you, but at the same time, a HUGE number of people don't have that identification. Many homeless people that could qualify for services struggle to prove who they are, and that they are able to receive it (especially vets) because they have lost their ID, have no idea where their birth certificate is (or marriage license), and have no home to show multiple bills to that address in their name.
At some point, though, the solution doesn't become "make it possible for anyone to access any account without any proof of identity", it becomes "make it possible to live in society -- receive medical care, eat, be sheltered -- without any proof of identity".
Proof of identity should be a government function, and that we likely have millions of people in the US with no way to prove their identity has real-world consequences beyond the flaw in my post-office-account-recovery-scheme; it affects access to benefits, as you said, as well as voting and being able to even prove your citizenship. That should be fixed too, but I'm not sure we can do any better for internet identity verification than the post office fallback.
Hard agreement with you here re: the USPS being involved in this kind of stuff. They are uniquely capable of being a major identity and trust provider. I'd love to see a PKI administered by the USPS. I'd love to get 2FA tokens issued by the USPS.
It certainly beats having to send an email to a faceless "support" address that ends up sending me the same 4 boilerplate questions when I try to figure out why my business locations' rule-compliant map listings were suspended from My Business even when I spend $15k per month on Google ads, sure. It hurts my business (there hasn't been a resolution since when the issue arose four years ago), but it's not nearly the hurt that the folks the librarian is helping are feeling.
Maybe, just maybe, if people are sobbing, maybe there's a good reason why! And maybe, just maybe, if you don't want to receive such support, you can advocate for a system in which you could opt out of all such processes entirely, instead of arguing that any form of account remediation shouldn't exist.
They could preauthorize a random token amount on credit card with matching details, have you call the number on the back of your card to figure out that amount and then you have to input that number to authorize the access in an oath like flow.
Please tell me if you see something wrong with my procedure?
edit: I saw something wrong, I have forgotten about the vast unbanked population in the rest of the world as we don't have that problem in Canada¹
As with every other "simple solution" to a complex problem there are a few flaws:
a) google will have to require a credit card in order to open an email
b) person opening an email account must actually have a line of credit, e.g.: many of the people mentioned in the OP will not have it
c) opens a new attack vector on google accounts, e.g.: people who secured their emails using 2FA app for example can now be attacked via a credit card process
but you already know what will happen next, don't you? People would stop using 2FA, then some donkey on government contract with access to nuclear weapons gets hacked, and everybody would lose their mind: "how could google be so stupid to allow people not use 2FA?!?!?!"
I don't know if you are being sarcastic or naive here... Why would Hillary use her own email server for critical government correspondence? I don't know! Reasons I guess. People on all levels tend do stupid stuff every once in a while
