The problem here is that misapplied empathy can lead to terrible decisions. Having Google change their 2FA system for this group would be one such decision. It's similar to the 'think of the kids + terrorism' attacks on encryption. It's socially difficult to argue against these ideas because you are then labeled as a terrible and non-empathetic person, but the solutions themselves make one other thing worse without really being helpful other than for garnering retweets and likes.

In this case, we actually aren't being ambitious enough. Why are we having a system where we give out phones every 12 weeks to each homeless person? We'd probably save money for the program by developing some sort of dedicated device designed to be harder to steal or lose. Maybe a high-autonomy low-powered KaiOS smartphone that can be attached as a strap? It's not like the current devices are working.

Why is it such a hassle to keep the same number after a theft? We could investigate there too. Improving this would be better than decreasing the effectiveness of gmail's measures.

Heck, if we want to focus on Gmail, why not focus on why it's the default choice for the homeless to begin with, as opposed to removing features.

We could try to solve the problem structurally but we prefer the caseworker approach, because it's more easily packaged 'empathy' than actually fixing the homelessness issue. It's like people who travel to developing countries to 'help', when the locals need investments and training facilities, not extra warm bodies. Actually giving homes to the homeless would probably be cheaper than whatever we are doing now, even taking into account the mental illness and drug-abuse problems that factor into this.

Google could put a toggle in Google Account settings titled something like "Allow anyone who knows my password to log in to my Google account (less secure)." It could sit above a description of the risks involved. It would need to be disabled by default, and it wouldn't help users who don't know about it. It certainly would not fix homelessness in society. But it would do a lot of good for a lot of people!

Would this option lead to some increased number of hacked accounts? Probably, but these would be accounts that explicitly opted in to that risk! I think it's excessively paternalistic to not provide the option. Every life situation is unique, and people know their own lives better than Google does.

The solution is to use one that is. Why are case workers directing the homeless to setup gmail accounts? Because they haven't been provided with a better solution by the system they work within.

So its the government's problem to fix. They are the ones handing out phones and setting the expectation to communicate through email. So they can either design an email service themselves that fits their needs. Or they can work with an industry partner, such as google or someone else to provide the service.

Normal gmail is a one size fits all commodity solution. It works well enough for most people, most of the time. Specialized problems call for specialized solutions. Complaining that google didn't think of you is misplaced.

Also, if I was homeless, I wouldn't want my email address to indicate I was homeless.

I broadly agree that it isn't Google's job to cater to everyone, but in this instance, the ask seems overwhelmingly reasonable—and less than what we expect in other circumstances.

With this in mind, what else should Google do?

It should be possible to turn this off!

What should Google do in the scenario that this purposely-low-security-for-the-unhoused account is breached? What about abuse? Are we OK with Google just shutting off accounts in that scenario? Are we prepared to accept that the members of our community experiencing being unhoused will find themselves constantly creating new accounts as their old ones are shut off or rendered unusual from the consequences of purposely-low-security-for-the-vulnerable?

Remember, things like gmail accounts are under constant attack. Security measures, the very ones we're talking about disabling, help keep those attacks at bay. Each of those things that triggers verification actually lines up with real attack patterns.

So while this may be a small-ish thing to ask for, I'm a little concerned about the consequences. We're literally asking to offer the most vulnerable and marginalized members of society shittier security and ignoring the effects of this.

I am, yes, if the alternative is that they loose access to their account every few months!

Also, at least this way people have the ability to keep their accounts truly safe if they choose a strong, unique password. If Google just locks them out no matter what, there's no recourse.

Good to hear, though I confess to a bit of confusion. The issue I pointed to is that they're going to lose access to their accounts frequently as their accounts get breached, abused, and shut off. As opposed to losing access because they lost their phone number.

> Also, at least this way people have the ability to keep their accounts truly safe if they choose a strong, unique password. If Google just locks them out no matter what, there's no recourse.

As described in the Twitter thread, we're talking about people who already struggle to remember their passwords. I doubt this will improve if we require basically regular people to have strong passwords, but perhaps you have reason to think differently.

Basically I think you're trading one cause of lockout without recourse for another cause of lockout without recourse with this proposal. This does not strike me as progress. For my own part, I think Google is the wrong place to be trying to address this issue - perhaps porting phone numbers within the Lifeline phone program would be better.

In short - yes, but the consequences defeat the point.

Using "support" and "Google" in the same sentence is laughable. They barely support the ad clients that pay their freight. Google's entire business model is built around NEVER providing support for the users of their technologies, and killing off any products that don't monetize.

Where on the gmail page does it say "not for homeless people, sorry"?

Adding (and forcing) 2FA was a recent decision from Google, which came a long time after Gmail the product was already introduced. There are millions of accounts which were created long before anyone had an idea what a smartphone was, let alone phone-based 2FA.

Not having 2FA is going to allow some portion of users to get hacked. When those users do get hacked they will need a way to regain control of the account. Methods of regaining access to an account are notorious for bad actors social engineering their way to gaining control of accounts.

2FA relieves some of that, because even if you do get hacked you can provide a token from the authenticator that was attached to the account, proving that you do in fact own that account.

> I think it's excessively paternalistic to not provide that option.

I don't find it paternalistic. The goal is to cut down on support costs by reducing the number of users who get hacked and need assistance regaining access to their accounts, and to force users to have a method of demonstrating they own the account even if they can't log in. That it confers some additional security to users is nice, but not really the end goal.

I don't think they do! This would be part of the tradeoff.

Currently, people who cannot use or rely on 2FA are getting locked out of their accounts even if they weren't hacked and knew their password! Isn't that worse?

I don't think so. You seem to presume the end state of both is that the user is locked out, which is only half true.

With a lost 2FA device, the user and everyone else is locked out of the account.

With a compromised account, the user may be locked out but the hacker is not. The hacker is free to impersonate the user to social services, hospitals, potential employers, etc. If there's no mechanism for the user to regain control of the account, the hacker will have that access until the user can contact all of those people and give them a new email address. That could take a while, especially if we're considering that the user has a high chance of not having a phone at the moment.

Not if it's happening to fewer people than the alternative.

I got "hacked", I mean yeah it was a hack using an Android phone and Google's automated recovery system.

If not for the latter, my incredibru strong password would've saved me.

They also removed the phone and backup email from that account because I recovered the account once.

I sure hope 2FA cannot be removed once someone gains access (not without a call to the 2FA number/whatever) lol.

Either way, I'm not using it because it's a pain in the ass. I already hate that they lock me out if I try to log in from another country.

Gee, yeah I travel between EU countries, that's very unusual for most people.

So we should be mindful of Google's profit margins, instead of homeless people's access to vital services?

But we should also expect Google to give a small crap about the troubles it's putting some of its users through, especially when this is so important to some of its most vulnerable users, and adding an option to disable 2FA is such a small feature for a Mega corporation.

Sure, homeless people and those who help them should pick an alternate free email service. And the government should either set up its own email or stop requiring email contact for this sort of thing. But for people who are already Google users, Google should also try to make their lives significantly easier with a tiny bit of effort (allow someone to explicitly disable 2FA for gmail - with all the warnings and cautions that they can).

• The people who want security get to keep all the security they get today.

• The people who don't think about security and leave default settings intact keep all the security they get today.

• The people who explicitly ask for less security get less security.

• Some of the homeless will get increased access to vital services.

It's a win-win—unless you believe, for some reason, that people should have security forced on them even if they explicitly ask to not have it. I fundamentally don't understand this mindset. People should have the right to do dangerous things if they are warned of the risks involved.

The problem with that is less security is almost always more usable than more security, which leads to the greater amount of people being in that state, which is not just a danger to the user making the choice, it is a danger to others.

That's like forcing pepboys to change the tires of senior citizens for free because social security isn't paying enough.

Maybe we should put our efforts towards fixing problems instead of asking private companies to put a bandaid on it at their expense.

1. Go to myaccount.google.com

2. Press "Security"

3. Press "2 step verification"

4. Enter your password

5. Press "Turn off"

6. Confirm the dialog that says "Turning off 2-Step Verification will remove the extra security on your account, and you’ll only use your password to sign in."

If you login from a new computer or unrecognized IP, Google forces you to use the YouTube app on your phone to enter a “code” to login. It sometimes doesn’t even let you get a text code. God forbid I lose my phone or delete the YouTube app and login from a new IP. I don’t know how I would even get into my account.

I don’t know how this isn’t a wider spread issue affecting more people but I guess Google developers live in a perfect world where the YouTube app auth can never fail and you never lose your phone.

I had the right password and recovery email but I wanted to txt a code to a phone number I didn’t have any more.

That seems insane to me. Right password, access to “recovery email” and still blocked.

What ended up working for me was trying to login when I took a vacation back to the same city when I last logged in.

Didn’t get asked for the OTP code, so could get in and update the number.

I wouldn’t have such an issue if Google had customer support and let you send other proof of identity. But they don’t.

And now I’m getting weird requests to confirm I logged in from the YouTube app on other devices. YouTube?

If you have 2FA enabled, then yes, of course it will ask you for the second factor if you're doing something unusual.

But with 2FA disabled, logging in with just a password works fine.

I believe you, I'm extremely surprised I didn't see this considering I've logged in from all sorts of sketchy IPs/VPNs.

> Look, I'd love to stop CP distribution in America! Really, I would! But Google's encryption policies are preventing law enforcement from intercepting pedophile communications now, today.

It's the same "think of [vulnerable group]" type of statement.

But also, yes, there are in fact many times when it's important to consider the needs of different groups of people! That isn't to say that the ends always justify the means—it depends on what the means are—but reasonable accommodations should be made where possible.

Google allows someone of your choosing, who must also have a GMail account, to takeover one's account after x months of inactivity. It's not great but it's better than nothing and it has the benefit of being an option that exists today.

Remember you have the “rescue keys” from google to avoid these kind of problems.

The bigger problem is how you teach those people how to use the services in their situation.

This point is worth reiterating. Homelessness can be solved by providing housing. Yes, homelessness is a complex multi-faceted problem, but the first order solution to the problem is to provide housing.

Homelessness is a problem with huge externalities to society. Put another way, homelessness is an enormously expensive solution to the problem of providing space for humans to live.

Some homeless people aren't capable of the maintenance of a home due to mental or physical issues.

Some homeless people refuse to accept help for mental issues for fear of being trapped in a psych ward.

Simply put, you need to split homelessness into temporary and chronic populations. For the temporary group, homelessness is the problem. For the chronic group, it is a symptom. Treating the symptom will not have a long-term impact on much of the population.

Source: conversations with a social worker friend who spent years working with the homeless population in our metro area.

You've got a good point. These leaves are really starting to pile up, and the snow will be upon us soon. I think I'll just say fuck it and sleep under a bridge, and leave the grounds keeping to the parks department.

You did set up a straw man solely to get knocked down, right? In actuality, the idea of giving "housing to everyone" doesn't mean an idyllic single family stick-and-drywall dwelling with a yard, but rather something communal - like a less-populous more-dignified shelter with a modicum of persistent personal space. The maintenance would be institutional, and come out of the same operating budget as administration, utilities, etc.

I feel like most of the "some homeless just want to be homeless" argument revolves around baking in assumptions that public housing should come with a bunch of strings attached, to make the residents' lives "better". In your comment, this is the responsibility for maintenance or mental health treatment. Such conditions are what turns people off, not some intrinsic love for sleeping rough.

Sometimes mental issues are purely genetic but often they can also arise from or be exacerbated by trauma. And homelessness sure is traumatic.

Most homeless people do not have a severe mental illness (around 70%) [1]. For most homeless people, it's primarily an issue of housing affordability. The solution is to reduce the cost of housing.

For the people who need more support -- due to mental illness or otherwise -- the affordable, effective solution is permanent supportive housing [2].

[1] https://www.treatmentadvocacycenter.org/evidence-and-researc...

[2] https://www.coalitionforthehomeless.org/proven-solutions/

“70% were receiving mental health treatment or had in the past.” "An April 2016 survey of New York City’s homeless population reported that unsheltered homeless individuals were most likely to be severely mentally ill single males." Something like 1 in 5 of the homeless in San Francisco have a traumatic brain injury.

None of these people are going to be fixed with mere "housing".

Even worse, putting these people who desperately need medical treatment in "mere housing" is very likely to cause the "mere housing" program to fail when it could have succeeded. The homeless who need "mere housing" don't want to be near the homeless who need "significant medical treatment" any more than anybody else does.

Homelessness has an "Amdahl's Law" nature to it. You have to separate out the different types of homelessness and apply the correct solution. And you will only gain the improvement for the group you "solved".

Consequently, you can solve 20% of the homeless problem and people will still say you "failed" because 80% of the homeless are still in their vision.

What ends up happening is they generally just destroy the living space in a variety of ways.

It's because the majority of homelessness is an issue of mental health. In the USA, there are pretty much zero mental health resources for people in poverty.

Citation very much needed here. This certainly does happen. But, I don’t believe this the general (i.e. typical) outcome. From what I understand talking to acquaintances who work in this area, wrecking the place is not the typical outcome. And property damage is generally cheaper to address than the constant provision of emergency services.

I agree that mental health (and substance use) are major factors in homelessness, but those issues are more or less impossible to address when people are living on the street with no permanent address and no place to keep e.g. a cell phone without it being stolen.

This has gone badly. The property sees intense vandalism and destruction, the neighbors are afraid for their safety, and the whole thing is an amazingly expensive boondoggle.

[0]: https://www.foxnews.com/us/austin-hotel-purchased-homeless-s...

[1]: https://www.statesman.com/story/news/2022/05/16/austin-homel...

1) Austin buys the property

2) Begins renovations on vacant premises

3) Vandalism takes place

---------------

4) The conversion is complete

5) Property officially offered to homeless residents

Steps 4 and 5 haven't happened yet. So homeless people who "generally just destroy the living space" isn't a good fit for what's going on. This is simply a situation of an unsecured construction site that has attracted squatters and vandals.

The risk of course is that you are ripping potentially live circuits out of a building. It usually requires you to already be impaired and desperate to do it. It's that fun combo of illegal and dangerous.

This isn't true or at least it doesn't start that way. What people don't understand is that there isn't a single homeless population. You have people who are temporarily homeless and people who are chronically homeless. The temporarily homeless are people who lost jobs, fell on hard times, etc etc. The simplest solution for them is yes to give them housing. The chronically homeless is where things get more complicated and those are the people who typically need mental health and abuse services. The simplest and most efficient thing we can do is help the temporarily homeless and prevent them from becoming chronically homeless.

I’ll take tautological statements for $200 please Alex

Also your sweeping statement about the destruction of their living space smells to high heaven prejudiced thinking based on myth or hearsay rather than actual data.

https://www.nytimes.com/2021/11/09/opinion/democrats-blue-st...

But yeah let us blame Google.

They used to be called asylums, and the problem is what to do if the homeless person refuses to go. I wonder why you don't hear about homelessness in totalitarian states...

Because vagrancy is punishable by prison time there.

Mark spent considerable time earning the trust of LA's skid row population – a large roadside tent community – and has a series of 1:1 interviews with a slice of the population, exploring their histories, challenges, preferences, and culture.

Mark doesn't believe that many (most?) of the skid row population would benefit from being provided with housing, and that issues of trauma, mental health, and childhood family environment are what he believes would have the highest leverage on the problem.

This is of course just one perspective on the problem, but Mark's perspective taught me quite a bit.

I don't think the temporally homeless, like someone down on their luck. makes up the issues people have with homeless. You see some crazy person, then you see that person is homeless, your answer to that is "oh give them a studio apartment!" and not lets help them with their issue. Police should be policing violent people, for some reason instead of that we want to build homes in the middle of nowhere and drop them off their. They're still going to cause issues.

But instead the justice system is set up to give effective impunity to the worst sort of homeless people; they're back on the street days after being arrested (if they are even arrested in the first place.) They cause incredible damage and commotion, so they hog all the public attention and give all homeless people a very bad name through association.

It could be opt-out.

> It's similar to the 'think of the kids + terrorism' attacks on encryption.

No, it's not. Nobody choosing whether _they_ enable 2FA affects your decision to use it or not. It's more like forcing drugs down somebody's throat because you believe it benefits them and everybody else is doing it anyway.

> Why is it such a hassle to keep the same number after a theft? We could investigate there too.

Sim-jacking. Somebody could claim to have lost it and just take your number. This has happened before. The problem of authentication is fundamental in security and Google are just passing the buck onto phone service providers.

> Heck, if we want to focus on Gmail, why not focus on why it's the default choice for the homeless to begin with, as opposed to removing features.

Because it's free and the emails don't bounce. Most big tech has 2FA now.

We have to break out of the stereotype that homelessness is a city problem. It isn't. Far from it.

Homelessness is more obvious in cities because there are fewer places for homeless people to be. But there are plenty of homeless people camped out in rural and suburban towns, if you know what to look for.

I recently lived in a snooty city suburb where most of the homes cost from $600,000 to $10 million, and guess what — the drainage tunnels beneath the Home Depot, the maintenance underpasses in the parks, the undeveloped wooded lots were all full of homeless people.

Promulgating the notion that homelessness is a city problem is what allows suburban and rural politicians to cut funding for homeless services because "it doesn't affect my constituents."

google isn't requiring specific 2FA data, like address, because they are stalwart guardians of data. They are harvesting data because that is their business.

The homeless don't have enough data to be of value to an entity like goolge

Homeless people don't have enough of anything to be an attractive target for advertisers.

E-mail needs to be a regulated utility, given that getting locked out of one’s email happens all the time with catastrophic consequences.

Sure, it's great that gmail is cheap, after all "it's free". But Google (and MSFT, fuck outlook.com in particular for their completely anti-competitive spam "protection" that only accepts email from other big providers) cross-finances gmail from their ad business, completely distorting every kind of service and product markets.

---

For email in particular what's needed is a LetsEncrypt-like community-driven solution for reputation management and acceptance of emails from reputable sources by the big inbox providers.

The long version (if it’s patronising please skim forward, I’m writing as an explainer for anyone else that comes along):

E-mail was originally a means to communicate informally between two participants over the Internet.

In this early version of the system the message would leave your machine, go to your Mail server, then the recipients mail server, then their inbox. This would complete the transmission and a copy would exist at both ends.

Companies providing ostensibly free online e-mail inboxes have slick sign-up funnels that on the surface seem to be offering a very similar system as the one above, with very little in the way of regulation around either the sign-up funnel or the mailbox (and which do not explain the catastrophic life consequences that can occur as a result of losing access to your mailbox).

These new mailboxes work differently from those of the early Internet, though:

1) Your mail is sent to your mail server. A copy may or may not be retained locally.

2) Your mail server transmits the message to the recipients mail server as before.

3) The recipient receives a notification of the e-mail and may or may not retain a copy locally.

This infrastructure is ubiquitous and now not quite 30 years after the early Internet we have an issue where you’ll be required to have an e-mail address for almost all public services and common accounts that have little to no online component. Your entire life, more or less, may pass through that inbox.

If one day you lose access to the account (in that you insert your password and the provider says no), you will lose access to your entire e-mail history.

You may attempt to reset some passwords for essential services, but you can’t, because they’re sending e-mails to verify your identity - which you’ll never be able to receive.

You move on, create a new account, and attempt to start over. However, e-mails - potentially important e-mails containing personal information - continue to be delivered to a mailbox that you can’t access ever again. Maybe you miss some important alerts.

Perhaps it was a gmail account that had your entire photo and video history in google photos. That’s now gone too. With your passwords, if you’re using chrome passwords.

You rebuild, and a couple of years pass, and perhaps someone else gets access to your account (either through a hack, or a rogue employee with access rights, or someone who guessed a badly thought out password).

You never find out that the account was accessed, so have no-one to complain to, and maybe you end up with savings or 401K/pensions getting emptied. Which in a lot of cases wouldn’t be discovered until they’re due to be collected.

Some of the above might sound far-fetched, but you’d be surprised how much having access to an email inbox is accepted proof-of-identity in 2022.

Hence the need for regulation.

"If one day you lose access to the account (in that you insert your password and the provider says no), you will lose access to your entire e-mail history"

This comes down to personal responsibility assuming you lost the password or even if it's the companies fault you should prepare for thus.

That's not the problem, that's a vague wave at a generic class of innuendo that could be used just as easily to rationalize not allowing your child to eat ice cream or Japanese internment. You have to make the case why Google changing their 2FA system is so much more important than the homeless having phone service, you can't just say "sometimes, empathy can be bad."

I'm not getting that from the rest of the comment, which seems like a gish gallop around a bunch of other things that we're also not going to do for the homeless, and about which you or somebody else can say "it's only human to be worried about other people going through these issues, but empathy can be bad. The answer isn't that HUD should change the second line of the third section of Form B, it's that we should fix the homeless problem completely."

edit: We can't use as an excuse for not making small changes that we should be making larger changes. The excuses that one makes to avoid making small changes will apply more so to larger changes.

It's not a 'gish gallop' but a framework for looking at the issue. I'm not saying that empathy is sometimes bad, I'm saying that it can't be the starting point for our reasoning. It can be the impetus that makes us act, but the actual solution should come first. Sure, maybe none of the things I'm proposing will be implemented. Maybe they're all godawful ideas, but I can't fix the problem in the five minutes it took to write the post or even five decades of intense research on my own. But it's clear that keeping to that pseudo-empathy performative martyrdom mindset is an active roadblock against the more ambitious solutions. And it leads to truly awful ideas such as getting rid of encryption, rights, and so on.

I'm not dismissing the whole issue, just that it was presented in a way that's not actually conducive to helping the homeless.

If you remove forced 2FA, you would be dismissing the hundreds of thousands (at minimum) of tech illiterate people out of the 1.5 billion users who would get cleaned out in the coming weeks. Why do their lives not factor into your calculus? Are they not vulnerable too? All of this for a measure that could be resolved in so many other ways.

This is the problem I'm trying to illustrate. This sort of moral appeal helps no one, and in fact endangers other populations. If the goal truly were to help people, no one would EVER suggest an alteration that would expose billions for the benefit of thousands.

You're putting the cart before the horse. The far simpler solution is for the government to provide the homeless with email. Now the auth can work however you want.

Also, homelessness isn’t the problem we think it is. It’s millions of problems. Any solution will never help more than a subset of the homeless population. We need to iterate on small solutions to make progress.

Then provide contingent housing based on staying sober, sticking to your treatment plan, and getting a job. You can graduate when you’re able to pay your own way.

For non-addict/mentally ill homeless, it’s housing contingent on employment, graduate when you can pay your own way.

This would solve 90% of the problem.

May I introduce you to the concept of scissors?

Let's say I care. Let's say I care a lot. I care so much that I'm willing to make it my personal problem to address the very real, very pressing needs of a critically vulnerable and marginalized part of my community from inside Google.

What am I going to do? Is anyone going to be happier if I stand up and proclaim loudly how much I care? Probably not.

Could I say "Gee, what if we just let everyone put themselves in the group of people who don't do 2FA"? Yes, if I wanted to be responsible for a lot of people not securing their accounts. Could I outsource identity verification to a wide assortment of groups (libraries, non-profits, etc.)? Absolutely, so long as I'm alright with this being used to gain improper access to a LOT of accounts outside the target segment. Could I offer more password chances and friendlier lockout times? Sure, so long as I'm OK with the negative consequences of this for a lot of people.

OK. Let's end the game now. We don't really have any major steps towards real solutions here. Empathy is very useful for showing where a problem is. Demanding what amounts to lowering the global bar for account security is perhaps not the ideal approach here.

Sometimes problems are just hard. Taking ownership and feeling empathy and sincerely wanting to solve the problem does not render them easy.

If you dont know how to control what happens in the park you build, then the park will be shutdown.

In the case of Google its not hard to speed up the process of shutdown. I just encourage them to keep working on more and more mindless ivory tower trash like Pixel phones, watches etc and inject more Ads into everything. They dont have the imagination for anything else but want a pat on the head for whatever they build. Give it to them.

On the one hand, this can be quite reasonably derided as a lack of imagination. Surely there must be a way to do it!

On the other hand, well, we as a society accept that businesses are generally allowed to decide they just don't want to be in a market segment or produce some features. Bridgestone is not compelled by law to have a store in every neighborhood. Montblanc is not forced to produce disposable ballpoint pens.

Perhaps we should treat this as Google admitting the limits of what they're willing and able to build. There is no shame in knowing your limits.

Gmail is functionally the root of trust / skeleton key to millions of people's online lives. The only real competitor is Facebook and, for some, Apple. I think Gmail is far better (more secure, more privacy respecting, less capricious) than Facebook.

With the admission by Chad that that homeless he advocates for can't retain mobile numbers, or ID cards, or 2fa keys, I have no idea how he thinks any secure access could possibly work.

As others have pointed out, turning off 2FA is available. Apparently that doesn't work either because the people in question forget their passwords. So I guess we should add passwords and biometrics (not available on all hardware) to the list of things that aren't going to work.

Like you, I'm left wondering what there is to anchor any level of security.

As I wrote, THIS WOULD NOT BE THE DEFAULT. It is quite possible to pre nominate the specific groups that can allow unlocking of an individual account. And that's all it is, account unlock when they use a new device, or putting the account into PW only mode for a period.

If the PW is forgotten you require a higher level of identity verification, like a bank/USPS/DMV process.

Facebook already has this enabled, you can have a friend/family member (or two of them!) validate your account.

If you're determined not to find solutions then you won't progress.

It's not that I'm determined to not find solutions. It's that I am determined to find solutions that don't create a degraded security state ready-made to abuse people's email accounts. Sometimes finding a good solution requires looking somewhere other than under the streetlight.

Like others, I'm led to the conclusion that perhaps Google isn't the party best positioned to solve this particular pain point for our most vulnerable and marginalized community members. Maybe we should be paying more attention to why Lifeline numbers aren't portable.

Social workers, shelters, libraries etc are well placed to support that. They know these people because they see them every day.

If you choose to enrol in the "community assisted recovery" process then you could enrol a new device into your email with their help. Put a big red banner at the top of the email client saying "Community recovery via Topeka Library, Kansas".

Lifeline numbers aren't portable because people have no way to prove their ownership of the previous number, because they have no ID.

The whole "community recovery" concept sets my teeth on edge. It's a whole alternative authentication avenue ripe for exploitation. Anything that positive and innocuous sounding is going to be the target of many an abuse campaign - think Cambridge Analytica and all the people who handed over their info to innocuous-looking things. Telling people all their info has been stolen isn't all that helpful for protecting them and knowing the specific library or shelter that authorized it will do very little to help.

Plus it turns the people designated as recovery agents into high-value targets.

Again, I'm not trying to avoid finding a solution. I'm trying to avoid finding a "solution" that puts a large number of people at risk unnecessarily.

"Sometimes problems are just hard. Taking ownership and feeling empathy and sincerely wanting to solve the problem does not render them easy."

No one said it did and it's better than not caring at all.

What if the most empathetic answer here is "This isn't really the right service for you"?

Recent story was a 65yo + veteran living in a shelter. They hadn’t started collecting social security due to some debts and was worried it would ALL be garnished.

After explaining that veterans get expedited in line for housing and that they would still get almost all of their SS, they have applied for it and should be housed soon.

It doesn’t surprise me at all that 2FA causes problems after hearing many stories similar to this one.

Is this common? I knew a guy who had the same mindset. I ended up paying him in cash for some work, he was convinced that if he made any money in a traditional role it would be instantly garnished.

And being paid $1k and assuming they'd have $1k and then discovering they only had $500 because of garnishment tells them "don't accept checks, cash is the only safe method".

And then it's not a step much further to be "it's not worth setting up social security because it'll all be taken".

People forget that there is a population group where fines are MORE HARMFUL than jail time. At least with jail, you can serve your time and be done.

A while back a guy destroyed a vehicle of mine and drove off. Per criminal law in my jurisdiction, he should have served at least 45 days for that offense. But it isn't like that would ever give me my property back. It's also unlikely to deter that particular crime in the population.

Another person needed an ID. In order to apply for the ID they needed a birth certificate. In order to apply for it they had to fill out the application, mail it with money, and then have a permanent place to have the birth certificate mailed an unknown amount of time later. At which point they then needed to apply for the ID and go through that process.

Your contractor’s actions makes a some twisted sense to me as he’s still receiving ‘undisclosed’ cash. The homeless veteran doesn’t make any sense to me as he was not receiving the social security funds at all.

Paying people under the table has a lot of potential liability for you and it almost always catches up with them. Especially now it’s just not viable to live off the grid (e.g. hoping you don’t get sick isn’t effective) and all this does is ensure that the amount they owe the IRS is unaffordable when the bill finally arrives, usually when their earning potential has gone down.

That isn't the same thing.

This is not black and white. It is possible to encourage 2FA but allow to opt out. The same for phone numbers.

And that's why companies enforce 2FA: they want your juicy phone-number or other data. And yeah, maybe they also want to reduce support costs and avoid bad publicity. Still, it's not in your interest, it's in theirs.

If they at least would allow for a sufficient number of options. Like paper-tan (even self printed), yubikey or similar, second email address, an authenticator, ... but even big companies often only require a phone number.

EDIT: Yes, Google offers more than a phone number when creating a gmail account. I didn't say they don't. However: they don't make it easy and I would even go as far as saying that they are evil here. If you don't believe me, try to create a gmail account right now and don't google/search how to do it without phone number.

Which is okay, because it is a business.

If society wants homeless people to have reliable access to email without having SMS 2FA or whatever requirements a business requires, then society should elect a government to provide it as a utility.

There is no reason to expect or want businesses to pick up the slack for the government not providing adequate safety nets. Let businesses be businesses, and let governments handle redistributing wealth.

Initiatives at for profit corporations will always exist within some business constraints, shareholder obligations, and so forth.

It would be very reasonable for governments to provide tax-supported digital services. I could easily imagine that spending a few dollars per year to provide the homeless with basic digital services would pay off simply in easing administrative overhead.

But we don't do it, because, in America, our sense of what government can or should provide is atrophied, and we, mistakenly, look to private actors to provide basic public services.

I don't think this matches reality. The US government is doing more today than any time point in the past. Spending and taxation as a percent of dgp is at an all time high.

There's also a sense that nobody should have to do anything themselves. There's nothing stopping anyone from talking to a homeless person and helping them set up an email account without 2fa.

While public spending as a % of GDP has indeed increased, that's primarily driven by two things: increased defence (and related) spending, and increased spending on health costs.

In the US, the growth in social assistance spending over the last 3 decades is driven almost entirely by the latter: https://ourworldindata.org/grapher/social-expenditure-as-per....

At the same time, we continue to believe in privatizing basic government services: outsourcing social assistance to charities (including religious charities), outsourcing military and intelligence functions to mercenaries, or, on point for this thread, outsourcing ID verification to VC-funded private startups.

This excludes military spending and is adjusted for the purchasing power of those dollars.

I don't know about you, but I don't feel like we are getting 450% more value out of the government services. The numbers are pretty clear that the government is collecting more and more inflation adjusted dollars from people's income than ever before.

I Suspect we would probably agree that the government is not being a responsible steward of this money that it is collecting.

My primary point was that I don't think that the belief that a decrease in government spending and Revenue is reflected in the numbers. Further, I think it is important to push back on the idea that the systemic issues we see can simply be solved by throwing more money into an increasingly inefficient system.

Can governments (not necessarily the federal government) run a public service internet system? Sure, and probably more easily than we can, as another poster suggested, regulate tech companies into providing the right tradeoffs for housed and unhoused users.

When it comes to the right trade-off for the housed and the unhoused in terms of email service, I'm skeptical that the solution is regulatory. It seems like there is a large number of email providers that already offer what the homeless need. The problem is simply setting them up with the correct provider and user settings.

This seems like a job for people that work with the homeless.

But, look at that: the federal government already provides the homeless with cell phones. Yet instead of arguing that the government should also provide free email—which of course costs far less than cell service—the poster argues that existing commercial services should better serve the homeless.

Which, of course, would be nice! But my point was that this kind of argument seems to reflect a mistaken perception of free online services as some sort of social service, with commensurate obligations.

It seems like we basically agree.

It might be legal and maybe even legitimate, but OP said:

> This isn't a "fuck the people who don't have regular access to a phone, they don't matter" situation.

So yeah, those people don't matter (enough) in the sense that it's not worth to offer more methods of 2FA. Let's not pretend otherwise.

I struggle to see a reasonable possibility to the government either directly or legislating others to provide identification and communications services. One of the greatest utilities in the US is USPS, a monumental accomplishment to be able to provide communications to all people in the US.

Tacking on email (and identity verification services - which USPS already does via passports) should be a no brainer.

It is possible. And, as far as understand it, the teams at Google in charge of this have evaluated this option and found that it leads to more lost accounts.

The people responsible for user authentication at Google are in a completely different part of the company as advertising and, in my experience, are especially stubborn about their focus on security. "This is about phone numbers" doesn't make sense to me given my personal experience.

> If they at least would allow for a sufficient number of options. Like paper-tan (even self printed), yubikey or similar, second email address, an authenticator, ... but even big companies often only require a phone number.

We are talking about Google specifically here, which offers all of these options.

2FA is a major hassle for support when users get locked out because they smash their phone or change phone numbers or somehow lose access to the 2FA method. But, the benefits of 2FA largely outweigh those downsides for the majority of users. Offering the choice though, is something we think is important.

That's all I'm asking for as a user - thank you for being on the good side. Optimally you allow for multiple MFA options, so that I can e.g. use an authenticator app and a yubikey, as well as a recovery code in my bank.

You might be surprised to learn that this is how it works for Google accounts: it is default-on but you can turn it off.

> If they at least would allow for a sufficient number of options. Like paper-tan (even self printed), yubikey or similar, second email address, an authenticator, ... but even big companies often only require a phone number.

You might be even more surprised to discover that all of these options are supported for Google accounts.

However, Google tries _very hard_ to prevent people from e.g. creating a gmail account without a phone number. Try it if you don't believe me.

No doubt they're letting me through because some security heuristic says I'm a real human, and I'm sure they'd eventually make me provide a number if I continued using the account (this happened to me with my university G Suite account a couple years ago and I needed to contact my IT department to manually disable the phone challenge), but so far I can't see any evidence that they're doing anything unreasonable.

Perhaps they're requiring you to use a number because you've tested it a lot.

We all knew password, no problems at all. Now it mandates 2FA. And because they mandate it for Google Ads, now it's on for everything like Google Drive etc.

Google seems to support all of those?

Hint: it is still possible to create a gmail account without phone number, but it has become quite tricky to do so.

Nope. Not possible.

Oh how I would love to be proven wrong though.

Which leads me back to the point made elsewhere in this thread: we have too high an expectation for what private companies can or should do, because they have taken the place in our minds if government.

And our expectations for what government can or should do are too limited, because we've convinced ourselves government is ineffective and unaccountable.

I've personally bought/subscribed to various companies both personally and professionally. Just recently (a couple of weeks ago) I evaluated a couple of mailproviders. I discarded all of those that enforced 2FA with a phone-number.

For instance mailgun. At least the support helped me:

> Hello XXX, > > Thanks for bringing this to our attention. > > At this time, I have successfully activated your account so that it is now fully operational and you are all set! You may need to log out, then back in, to reflect this change. Also, your users can indeed utilize Google Auth without using a phone number. > > Please reach back out if any other questions arise. > > Regards, > XXX | Mailgun by Sinch

Others weren't as flexible. E.g. Sendgrind:

> Hello, > > Thanks for reaching out to Twilio SendGrid Support and for your interest in our products. My name is XXX and I’ll be more than happy to assist you in this matter. > > I am sorry for the inconvenience caused by the 2 Factor Authentication process, but this is mandatory for all accounts, as a security feature. > The only options available are to setup 2FA through Authy: to receive an SMS code or use the Authy app, which you can download here. > > I apologise for the inconvenience caused by the fact that we do not have any other options available at the time. > > Please do let me know if you have any additional questions in regards to this matter and I will be more than happy to further assist. > > Kind Regards, > > XXX | Technical Support Engineer Twilio-Sendgrid

Forcing me to use your own homegrown authenticator or a phone number? No thank you.

In the end I decided for a provider that offers 2FA but offers multiple options and doesn't enforce it.

Doesn't matter if I pay or not, really.

That is like saying 'if the DMV didn't offer IDs to people, no one would complain about not being able to get an ID'.

The fact of the matter is that email is 'de facto' online ID, and gmail has positioned itself into this role. They are now a societal need, not a luxury. They need to be regulated.

One doesn't need Gmail to have a functioning email address.

If email is a societal requirement--and maybe it is, or should be--public utilities should provide it.

It's easy to build an email provider. Why shouldn't your state or local government provide one?

The key takeaway is not about how we should promote 2FA or how we should promote long ass passwords, the main issue at hand is google's neglectful lack of customer support.

I was once caught in this non-sense many moons ago. But I learned my lesson, I absolutely do not rely on any google products for anything that has any potential to impact me personally (with the unfortunate exception of the Android OS on my phone).

Google as a brand is absolutely dead in the water for anyone that has woken up from the 'Don't be evil' kool-aid of the early days.

Imagine Google had a full service customer support system for account recovery that everybody could access rapidly. How would a homeless person use it? They lose all their possessions regularly so they don't have a reliable form of identification. They'd need to enroll their drivers license (which they probably don't have) in the system and then still have that license when they need to recover their account. Or they could be vouched for by a pre-enrolled trusted party account that does have strong authentication systems. But... homeless people are often transient and don't have access to regular support networks like a family member or social worker who could be enrolled as a backup account. In fact, you can already enroll as backup account if you want to.

> Google as a brand is absolutely dead in the water for anyone that has woken up from the 'Don't be evil' kool-aid of the early days.

Google has a pretty bad reputation at this point on tech blogs and forums. But, believe it or not, it actually shows up near the very top of trusted brands when 3rd party analysts do surveys on the wider population. Maybe this data is wrong, I don't know. But it is interesting.

Customer support is the main entrypoint into 99% of sim swapping attacks and would be similarly for any targeted account takeovers. What sort of information do you possibly think would be enough to prove someone actually owns a Google account over the phone?

they're smart, I'm sure they can find a way, even if it contains such horrible, detestable ideas like "more support staff" and "more training for support staff"

The answer has been figured out by the highly trained engineers. It's "don't provide account recovery options that bypass 2fa". Yeah that sucks for a segment if people, but it sucks less than regularly getting your account stolen due to a social engineering attack. There really, truly, doesn't exist a panacea. You don't have and can't create an oracle that knows when an account recovery attempt is legitimate or not.

The claim in the link is that homeless people lose every single one of their possessions after a period of time. They also have minimal access to support structures that could be used as a recovery system. We've had decades of work on authentication and pretty much every solution either involves using a password manager to create unique passwords or having possession of a physical thing.

That won't at all bother anyone homeless, because there's never been a homeless person who was a conspiracy theorist.

(Obvious sarcasm detected)

The best I can think of is trusted backup accounts, which already exist. A homeless person with regular attachment to a family member or a social worker could set up that person's account as a backup. But this already exists and is likely to fail for a large number of homeless people, who tend to struggle at maintaining long term relationships with family members or social workers who'd be able to help them.

The tech industry self-styles as the smartest people in the world, who try to solve the hardest problems. All I'm saying is that we shouldn't throw our hands up when we can't immediately come up with a solution to something we only learned about five minutes ago.

I think this is a good point, but the catch is that there's an implicit footnote that needs to be attached to "the hardest problems*": "*Which generate sufficient monetary returns". This particular problem isn't one that has much revenue potential.

The solution is very simple. Don't force 2FA. I'm sure most homeless people would rather risk the unlikely case of their accounts being hacked if they didn't choose a strong enough password to memorize than risk getting locked out of their accounts permanently.

You can encourage 2FA but forcibly enabling it for everyone does more harm than good, especially to homeless people but also non-tech-savvy parents and such (though the latter would be more likely to have a working recovery method).

And then in alternative-universe HN people are complaining about the rate of account takeovers via credential stuffing and calling Google irresponsible for making it easy to disable a powerful security measure.

> You can encourage 2FA but forcibly enabling it for everyone does more harm than good

I'd wager that pretty much the only people on the planet who can definitively say this are the people who handle account takeovers and lockouts of large email services. My understanding is that the folks at Google responsible for this have concluded that making it behave the way it currently does is the setup that causes the fewest people to lose access to their accounts.

Sometimes you have to make hard choices where some people get burned because the alternatives are worse. That doesn’t mean you don’t care.

In this case the people asking for 2FA are the "small minority", and the rest of us have to suffer through 2FA-authentication hell because of them.

How many people don't like 2fa because they don't know about all the times it's saved them from total account takeover?

I'm in my early 40s, computer programmer, and I've temporarily lost access to my WhatsApp account because I don't have a recent enough mobile phone, and the phone that I do have doesn't have a relatively recent OS installed.

It's a 4-year old (I think I've got it for 4 years) iPhone SE, on which I never updated the OS because I hadn't feel the need to do it. When I started getting pop-ups that "hey, our app will stop functioning on your phone unless you upgrade the OS" was already too late for that, I was afraid that upgrading the phone to the latest OS will cripple it permanently in terms of performance (the battery is already on its way out by this point).

So, assuming I get to 70, in no way I'll be up to date by then in terms of having the latest OS installed and all that crazy stuff, who has the time and the nerves for that? (especially the nerves).

Keeping all your software, and that includes the OS, up to date, is one of the most important aspects of personal security.

What’s your employment specialty that makes you trust Apple and Google?

The DMV works with people like this all the time; perhaps something could be done there where you have a government issued email address that you can't lose or be locked out of (worst case you take your ID to the DMV and the nice clerk helps you reset your password/sign in).

Google is already providing a free service to homeless people. It's not empathy to tell someone else to solve a problem that you care about. That's virtue signaling. If he cares, he should take matters into his own hands.

Is it too much to ask a single person to build a free email service for all homeless people? Perhaps, but the good news is that he doesn't have to. Google already allows you to disable 2FA [1]. He could have started a campaign to disable 2FA on homeless people's phones, but instead he uses this as an opportunity to shame Google to boost his own Twitter follower count.

I think that empathy is highly overrated. I doubt anyone notorious for flashing their big Johnson is particularly empathetic, yet LBJ expanded social services more than any other President. The problem isn't that people have too little empathy these days. It's that people are too easily impressed by broadcasting their intentions rather than actually trying to solve a problem.

[1] https://support.google.com/accounts/answer/1064203

He did progressive things, but to me it sounds like he was influenced by philosophical ideals rather than empathy. They based Frank Underwood from House of Cards on an exaggerated version of LBJ.