Gmail's backup codes are useless to access account
85 comments
·July 18, 2025NearAP
It isn't just the backup codes.
More than once, I was in a different country and tried logging into a workspace gmail account. Google flags it as a strange activity (fair enough) and needs to authenticate me. It asks me to enter the complete address for my recovery email (I do this), it sends me a code to use for sign in (I do this) but it still refuses to sign me and says it can't authenticate me. It says I need to sign in from a location that I've signed in from before.
So, for the period that I was out of the country, I couldn't access my email. This happened each time I'm in a new country. My only work around was to sign in to my email (on my laptop) before traveling and not sign out (for security reasons, I don't like to do this).
Something similar happened when I used a new laptop.
I just don't understand this. What then is the point of having recovery email and phone number if you won't use them?
Ezhik
There's a Gmail account I've lost forever because Google wouldn't let me in even after doing 5 factor authentication (password, phone number, code from SMS, backup email, code from email).
ffsm8
Heh, same for me. (albeit only three factors, but more weren't configured)
It was firstname.lastname@gmail.com that I lost, as I was mostly using my original account with a pseudonym for anything private (was a teen when Gmail started, so didn't think twice about using a cringe username back then).
I had configured the first/last name Mail to forward everything to the pseudonym email and didn't access it again for something like a year... Then I had to respond to someone and... Well, Google never let me access it again.
I eventually gave up on it entirely and switched to a custom novelty domain on fastmail, much much later. (A portmanteau of my last/first name
xdfgh1112
This doesn't happen for me with regular gmail. I wonder if your workspace had a very strict policy.
NearAP
1) This also happens to non-workspace (regular) gmail accounts
2) I didn't change the policy on the workspace email when I signed up for it
The point is still - why ask me to authenticate via different methods and then reject them after I've correctly authenticated? If some policy is overriding these, then you shouldn't have asked me to authenticate via those methods in the first place.
Andrew_nenakhov
I try to always log in to Gmail via VPN that uses the same IP address from any location.
david422
I created a gmail account in 2004 and then completely forgot about it. Just last week I realized that I had registered that account. I went to the forgot my password page, and it prompted for the last password I remembered using, which I took a guess at. It told me that wasn't enough information to recover the account, and that was it, because I didn't have a backup phone, email etc. attached.
But then I thought- what if I just try that password to login. And it worked.
So when I thought I had forgotten my password, gmail prompted me for a piece of information that I got correct, and then wouldn't accept it.
I also have another email account that forwards all mail to my main account, but I've definitely forgotten that password, and I have no way to actually get back into that account, even though I've tried. I guess it just forwards mail forever.
roywiggins
> I guess it just forwards mail forever.
Probably not forever:
https://www.npr.org/2023/11/27/1215285876/google-inactive-ac...
nickdothutton
I’d love to see a fully mapped login/auth flowchart with every permutation. New accounts, ancient accounts, accounts with 2FA, without. I bet Google themselves dont even have one now. Remind yourself they are really just an advertising monopoly that does other things as a side project.
politelemon
They for sure won't have one, and various parts of the flow will have been worked on and happy path tested in isolation at different times, so that no googler ever hits the real world cases like OP did. I didn't even say edge cases because they are hit fairly commonly.
modeless
If you want to prevent SMS from being used, remove the recovery phone number and/or 2-step phone number from your account. That's how I've had my account set up for many years, to prevent SIM swapping attacks. Just make sure you set up all the other 2-step options.
Andrew_nenakhov
I did it on the account mentioned in post (didn't set TOTP though), and Google locked me out saying "You're entering correct password but we're not sure it is you. Try again later". And I tried and tried and tried, for a few weeks.
Then, after 2 months, I tried logging in and suddenly it worked.
modeless
I would start looking at the networks you are using. You may be unknowingly sharing your public IP or IP block with compromised machines that are part of botnets, which makes Google (rightfully) very suspicious of logins coming from there. I would also definitely get several hardware FIDO2 security keys as Google will likely trust those more than other forms of authentication.
Andrew_nenakhov
That was on my company office network that had a stable IP address for I think a decade. Thing is, Google is now known to randomly become very paranoid and protects you from yourself, and, coupled, with complete absence of any support, often results in full account loss: you have better chances of speaking with the Prime minister of Estonia by calling their office than reach someone from Google.
SoftTalker
When my bank introduced the option to use TOTP codes instead of SMS for 2FA, I said "Great!" and enabled it immediately. Unfortunately they don't let you remove the other 2FA options. So logging in, I now get three options for 2FA: SMS code, emailed code, or Authenticator code.
modeless
Yes, a lot of places don't let you remove the phone number. But Google does.
fauigerzigerk
True, I deleted mine long ago. They keep nagging me to add a recovery phone number though.
ikekkdcjkfke
So we are at a point where just a strong password stored in memory is actually the safest option (given brute force protection)?
modeless
The safest option is a hardware security key because it is not vulnerable to phishing. And I expect Google to trust it above all other forms of authentication because of that. So anyone who is worried about losing access to their account should immediately buy multiple hardware security keys. You don't have to buy them from Google.
reaperducer
So we are at a point where just a strong password stored in memory is actually the safest option (given brute force protection)?
The safest option is straight out of 1994: Sticky notes.
Security keys can get lost or stolen. If someone breaks into your house or office, they're going after something other than a sticky note in your desk.
valrama
> and lo, an hour after connection I get a message, that due to strange activity on my account, I need to enter code sent via sms.
It's interesting you got that message (via email?) one hour after you successfully signed in on your iphone. Are you sure it was not some phishing email or something? Also are you still logged in on that account or did you get logged out?
mikece
One of the first things I do with all of my Google accounts is set up TOTP authentication and not with Google Authenticator. So far I haven't had any issues getting into an account after not logging in for a while (because my gmails all forward) but I wonder if Google will disable standard TOTP in favor of requiring Google Authenticator (which will be a problem because then I would need to get a separate handset for each account).
Andrew_nenakhov
Google Authenticator is a TOTP client as far as I know, and it can transfer codes to third party clients without problems.
The point of my rant was that with modern day Google, TOTP authentication is not enough.
Eduard
last time I checked (two years ago), Google Authenticator made it horribly complicated to export TOTPs managed by it. It took me an evening and many unsuccessful attempts to get my 10 or so Google Authenticator-managed TOTPs in a format that I was able to import into other open source solutions (eg Authy Authenticator Android app, KeePassX Linux application).
I don't care if things have changed, it was a shit experience. I highly suggest to stay away from the Google Authenticator lock-in danger.
mikece
Google Authenticator, like the Microsoft Authenticator, goes beyond mere TOTP and if you use that (or it's required by Google) then you need an app that can receive a push notification as part of the 2FA. This is the part that would screw up a lot of the consulting work I'm doing with client Google accounts because it would mean getting a separate installed instance of Google Authenticator for each account.
hocuspocus
You're confusing Google device prompts and Authenticator. The latter is indeed a mere TOTP client.
By the way I'm pretty sure the prompts work with as many Google/Workspace accounts as you want.
thesuitonym
I haven't used Google Authenticator, but most authenticator apps allow you to have multiple accounts connected. It would be insane to me if Google didn't.
hocuspocus
Of course, it can hold as many secrets as you want. It syncs them to only one Google account though, but that's irrelevant.
bsoles
LinkedIn did the same thing to me after I have enabled 2FA, completely locking me out of all my devices. Then, they asked me to send a picture of my driver's license to a third-party company, who does some kind of validation I guess, to re-enable my account. God, I wish I can delete my LinkedIn account, but it is my only professional visibility to the business world.
jbombadil
+1!
Please Google let me have a normal TOTP authentication. No SMS, no "open the gmail app on this other device and tap this prompt", no mandatory Google Authenticator, etc.
fauigerzigerk
You can add normal TOTP and delete Google Authenticator. You can also delete SMS. What you cannot do (I think) is remove Google Prompt if you are logged into your Google account on a phone.
mzajc
Google will occasionally brick my account telling me I "didn't provide enough info for Google to be sure this account is really yours". There is absolutely nothing I can do but wait for it unbrick itself after a while, all while not being able to read any mail that comes its way. Support is completely useless.
Needless to say I decided to forward all mail elsewhere. I wouldn't touch Google for work with a 3m pole.
rvnx
It can even escalate to https://support.google.com/a/answer/1110339?hl=en
"Automatically suspended by Google systems for being at risk"
+ This is an automated message. Replies are not monitored.
https://www.linkedin.com/pulse/when-you-get-locked-out-your-...
Good luck.
Andrew_nenakhov
I wonder if there is a way to disable this SMS 'security' antifeature once and for all? I imagine it is a constant nightmare for people who travel abroad and do not always have connection on their number registered in their 'home' country.
FabHK
Indeed. I have a university alumni account that I haven't been able to use for some years because it is managed by Google, and they in their wisdom figured somethings was suspicious (maybe leaving the country or not logging in multiple times a day or cleaning cookies or something else that good patriots don't do).
They're asking for a phone number (so, good to know - if a hacker actually got my username and password, they could access everything Google has on me if they have a fresh phone number, I feel super protected), which I am reluctant to provide, but it still doesn't work.
As you highlight, no support.
Youden
On Gmail: https://myaccount.google.com/security -> "How you sign in to Google" -> "2-Step Verification Phone" -> trash can.
In general, no. I've wondered if legislation would be feasible though, especially given the flaws that have already been shown.
lxgr
To be a person is to have a phone number capable of receiving SMS, at least according to approximately every US company.
vouaobrasil
In my opinion, the #1 way to make Gmail better is to enable forwarding. Then you don't have to deal with their ugly interface, login system, new features, weird compose window, etc....
icedchai
I'm one of the few that likes the gmail interface, I guess. Whenever I'm forced to use Outlook's web interface, I want to vomit.
vouaobrasil
Yeah Outlook is harsh. I was comparing it to a dedicated mail reader like Thunderbird.
fauigerzigerk
Me too. I forward Outlook to Gmail.
Outlook is unusable but harmlessly so. What's worse is Microsoft 365. I simply can't find a way to configure 2FA in any kind of sensible way. Right now it's simply turned off, which makes me very nervous. Whatever I do, it is somehow overridden in other parts of their byzantine and always changing cat herd of admin sites. I'm waiting impatiently for our M365 subscription to expire so we can finally migrate off this nightmare.
midnightblue
Gmail has one killer feature which is the auto-acceptance of calendar invites. to put it better yet, it will put any and all invites and invite-looking things from emails into your Calendar. you still need to mark "yes i will attend" manually. that, as far as i am concerned, is the perfect UX for this workflow. i don't wanna have to create calendar items manually, feels very previous-century.
i tried to migrate from Workspace to iCloud but dealing with the insane OSX Calendar app which not only does not put anything into your itinerary automatically but is liable to just disappear items from the Calendar randomly, put me off so much i went right back to Workspace.
Andrew_nenakhov
That's actually how I use that account, but this time I decided to check how it works with the iOS mail app on new iOS beta with that liquid glass interface.
I even dug out my computer that was logged in to this account in desktop browser, and it too blocks access. Crazy.
robertoandred
Or just use a different email client?
jonathantf2
From all my years working in IT I've never had a good experience with the iOS/macOS mail app for either Exchange or Gmail, things break constantly. You're much better off using the proper Gmail or Outlook app.
reaperducer
From all my years working in IT I've never had a good experience with the iOS/macOS mail app for either Exchange or Gmail, things break constantly. You're much better off using the proper Gmail or Outlook app.
Very strange. I've been using both iOS Mail and macOS mail with my company's Microsoft Exchange server for almost a decade with zero problems.
I've also been using both iOS and macOS with Gmail on my personal account for close to 20 years across close to a dozen computers and devices, and the only problem I've ever had is when Gmail suddenly decides to let some company bypass its spam filter.
I think I use Gmail's web interface maybe two or three times a year.
Ok, I have a work account on Gmail. Having the experience of being locked out of Gmail previously (endless loop of "You are entering the correct password but we're not sure that it is you, try again later"), I created a 2fa via Google Authenticator and set up Backup Codes and thought I'm safe from them asking me to sign in on another device or enter sms code (I don't carry that phone with me).
So, one sunny day I decided to add standard iOS mail app to this account, and lo, an hour after connection I get a message, that due to strange activity on my account, I need to enter code sent via sms.
Ok, I don't have that phone with me, so I try to log in with Authenticator, and no, no good: 'we are not sure that it is you, enter code sent to sms'. Ok, I dig backup codes, enter them, and still get 'we are not sure what it is you' message.
What's even the point of allowing to set up Authenticator or Backup Codes if they don't do anything?
If there are some people from Google reading this, please, don't reach out to me offering to help. Just change this dumb system.