Even when 2FA is disabled, Google will insist on additional verification (phone, recovery email, etc) if it thinks something about your browser or IP address is unusual, even if you know your password. If you don't have a verification method (or cannot access it), Google will literally just lock you out. I have personally experienced this.

It should be possible to turn this off!

OK. That raises all sorts of follow-up questions, as turning off security measures can be expected to have consequences.

What should Google do in the scenario that this purposely-low-security-for-the-unhoused account is breached? What about abuse? Are we OK with Google just shutting off accounts in that scenario? Are we prepared to accept that the members of our community experiencing being unhoused will find themselves constantly creating new accounts as their old ones are shut off or rendered unusual from the consequences of purposely-low-security-for-the-vulnerable?

Remember, things like gmail accounts are under constant attack. Security measures, the very ones we're talking about disabling, help keep those attacks at bay. Each of those things that triggers verification actually lines up with real attack patterns.

So while this may be a small-ish thing to ask for, I'm a little concerned about the consequences. We're literally asking to offer the most vulnerable and marginalized members of society shittier security and ignoring the effects of this.

> Are we OK with Google just shutting off accounts in that scenario? Are we prepared to accept that the members of our community experiencing being unhoused will find themselves constantly creating new accounts as their old ones are shut off or rendered unusual from the consequences of purposely-low-security-for-the-vulnerable?

I am, yes, if the alternative is that they loose access to their account every few months!

Also, at least this way people have the ability to keep their accounts truly safe if they choose a strong, unique password. If Google just locks them out no matter what, there's no recourse.

> I am, yes, if the alternative is that they loose access to their account every few months!

Good to hear, though I confess to a bit of confusion. The issue I pointed to is that they're going to lose access to their accounts frequently as their accounts get breached, abused, and shut off. As opposed to losing access because they lost their phone number.

> Also, at least this way people have the ability to keep their accounts truly safe if they choose a strong, unique password. If Google just locks them out no matter what, there's no recourse.

As described in the Twitter thread, we're talking about people who already struggle to remember their passwords. I doubt this will improve if we require basically regular people to have strong passwords, but perhaps you have reason to think differently.

Basically I think you're trading one cause of lockout without recourse for another cause of lockout without recourse with this proposal. This does not strike me as progress. For my own part, I think Google is the wrong place to be trying to address this issue - perhaps porting phone numbers within the Lifeline phone program would be better.

I don't think people's accounts are getting hacked anywhere near three times per year. And while remembering passwords is a problem, surely it's easier than remembering a password and keeping track of a second factor device?

You're right, people's accounts aren't getting hacked that often. This is because of a wide array of security measures - the ones you're suggesting be disabled. The frequency of breaches goes up significantly without those in place, especially when coupled with the kind of weak password likely to be chosen by struggling, marginalized, vulnerable people whose priority is not keeping bots at bay.

In short - yes, but the consequences defeat the point.