I almost lost access to everything I have online
I still remember creating my Gmail account at the age of 13 (around 2013), which I’ve been using ever since. Even back then, I vividly remember struggling to get my preferred email ID. I tried every short and long combination of my name to get the best Gmail address, failing every single time. I eventually ended up adding numbers to the end of my name to secure an available ID.
Since then, almost everything has become connected to your Google account thanks to OIDC and OAuth. This makes your account extremely critical, not just for online services, but for practically everything that is connected nowadays. While Google is quite good at authentication and keeping accounts safe even by default, it still requires you to be responsible for certain things. Failure to do so can result in losing your account, which quite literally means losing everything. And at Google’s scale, even Google wouldn’t be able to help you.
I came very close to losing it all myself. In my case, it was a series of unfortunate events. This almost led to my account being utterly compromised. My current setup is very hard to explain, so here’s a diagram illustrating how my account is used and secured.
As you can see, there were quite a lot of circular dependencies, which led to single points of failure. Here’s a summary of my setup:
- I didn’t have a recovery email added.
- I no longer had the recovery phone number.
- I didn’t remember the password, as it was stored on Bitwarden (a password manager).
- While I knew the password to Bitwarden, it had 2FA with Google Authenticator (as did many other services).
- Google Authenticator was synced with my main account and installed on two devices.
- All my backup codes were stored in Bitwarden.
- I had two trusted devices (Android phones) connected to my account. I also had some browser sessions, but those were useless at the time of recovery if I didn’t have the password or backup codes.
So, here are the key points of what went wrong:
Long story short, I lost connection to my main account from both of my devices (don’t ask how), which meant no Google Authenticator and thus no TOTP for 2FA. Practically consider those devices gone.
I didn’t know the password to my account; Bitwarden knew it, but I couldn’t log into Bitwarden due to 2FA, which required TOTP.
I couldn’t update security settings (e.g., recovery phone/email) from my current browser sessions without the password.
I can’t get TOTP as they were synced using google account
The only way I could log into my account was through backup codes, which were stored in my password manager. However, I couldn’t access my password manager without the 2FA TOTP generated by Google Authenticator, effectively ruling out this option.
My last resort (or so I thought) was to call whoever now had my recovery phone number, explain the situation, and hope they would understand and initiate the phone number recovery to retrieve the OTP.
I prepared myself for a very difficult conversation and called my old number. But no answer. I tried multiple times, but still no answer.
At that point, I had lost all of my hope and wanted to start the recovery process for services that were connected with the account, as I still had access to Gmail’s mail while the browser session was valid.
Then it suddenly struck me that I still had my old Android phone (the OG Yu Yureka), which might still have my account logged in. I found the phone, charged it, and it miraculously booted. Fortunately, I remembered the pattern. In utter desperation, I quickly checked if the account session was still valid for my main account on the phone (no way that would be the case). As expected, the account session was long gone. But scrolling through the app drawer, I found something very interesting: an f**_ing authenticator app. BOOM! It had my account’s TOTP. I went from feeling like an unlucky, stupid sh*_t to the luckiest person ever lived.
I think I have learned a few lessons from this. However, you might think there’s no way you could lose so much access to your things and be in a situation like this, but probabilistically, these are not very rare scenarios.
I think I need some kind of change in how I access and secure my online account/presence. Right now, I don’t know how exactly, but I will figure it out soon. But the thing I’m sure of is that I don’t want to be in a similar situation ever again.