I Out-Googled Google
Last week a friend, former professor of mine, and leading authority on computer security posted on Google+ a recommendation that people who have Google accounts should enable two-factor authentication. Basically this means that, if Google doesn't recognize your device or location, it asks you for confirmation via another medium (phone or text) in case your account has been hacked, phone has been stolen, etc.
I use Google a LOT: Gmail, Google Voice, Google+, Google Calendar, Google Analytics, etc. etc. Although I wasn't wild about the idea of adding a small hassle to my Google login experience, I figured it was worthwhile to prevent what would be an absolute catastrophe if my Google account were compromised.
So I went to my Google Account page and checked the box for two-factor authentication. The website then walked me through a few steps explaining the process and setting it up. When it came time to enter my phone number, I wavered a bit. Would it be a problem if I used a Google Voice number for my Google Account verification? It wasn't clear to me from the website if it would be or not. I didn't want to use my AT&T mobile number in case I changed it in the future and forgot to come back and update my two-factor authentication.
It was a bit of a quandary. I tested the notification with Google's "test run" tool, though, and it worked fine with my Google Voice number so that gave me confidence to proceed with that number. With a big warning that I was about to be signed out of all my Google accounts, I clicked the final Submit button.
When I tried to log back in, as expected, it said it was sending me a text to confirm my authenticity. The text never came. I waited . . . and the text still never came. When I checked my phone, I had been logged out of all my Google services there too and it was clear that, as I had originally feared, I was in a bit of a Google catch 22.
I searched through Google Help and it turns out that they have a way to let you back into your account if you find yourself locked out - whew! It would take up to 24 hours and would be a huge inconvenience, but not the end of the world. I set it in motion immediately. Then I received something unexpected: a call.
It turns out that, even though I was locked out of Google Voice, Google Voice was still forwarding phone calls to my mobile number. It was probably forwarding text messages too, but I had long since disabled that feature as I preferred to receive the messages just in my Google Voice app. Doh!
Once I discovered this fact, I was able to change my second authentication factor to voice instead of text. This worked like a champ and I was able to log in to my Google account - briefly! Then the Google account reclamation mechanism that I had initiated earlier kicked in and locked me out again for several hours until I finally received an email from them to reset my password.
So in the end it caused me nearly a full day of inconvenience and and no access to my Google accounts. While it was technically my fault, I would have hoped that Google would have anticipated my predicament a bit. At the very least, a warning to proceed carefully if using a Google Voice number would have helped. More helpful yet would have been some automated identification that the number I'd entered was a Google Voice number.
Even though I now have figured out how to get by this catch 22, I have irrationally disabled two-factor authentication anyway. The trauma of what happened has left me craving the safety of the previous status quo. Again, I don't thing Google has done anything technically wrong here, but I hope they'll take this experience as data about their usability and the effect it has on adoption of their features.