HN Reader

Third patient dies from acute liver failure caused by a Sarepta gene therapy (biocentury.com)

90 points by randycupertino 1h ago 19 comments

Asynchrony Is Not Concurrency (kristoff.it)

36 points by kristoff_it 1h ago 12 comments

Replication of Quantum Factorisation Records with a VIC-20, an Abacus, and a Dog (eprint.iacr.org)

28 points by teddyh 1h ago 4 comments

AI CapEx Is Eating the Economy (paulkedrosky.com)

11 points by throw0101c 23m ago 1 comments

Show HN: I built library management app for those who outgrew spreadsheets (librari.io)

12 points by hmkoyan 53m ago 3 comments

lsr: ls with io_uring (rockorager.dev)

256 points by mpweiher 7h ago 143 comments

Trying Guix: A Nixer's impressions (tazj.in)

100 points by todsacerdoti 3d ago 24 comments

CP/M creator Gary Kildall's memoirs released as free download (spectrum.ieee.org)

200 points by rbanffy 9h ago 102 comments

Mango Health (YC W24) Is Hiring (ycombinator.com)

1 points by zachgitt 1h ago 0 comments

How I keep up with AI progress (and why you must too) (blog.nilenso.com)

82 points by itzlambda 1h ago 52 comments

Benben: An audio player for the terminal, written in Common Lisp (chiselapp.com)

19 points by trocado 3d ago 1 comments

Cancer DNA is detectable in blood years before diagnosis (sciencenews.org)

57 points by bookofjoe 1h ago 20 comments

The Year of Peak Might and Magic (filfre.net)

15 points by cybersoyuz 3h ago 2 comments

Section 174 is reversed! Mostly, that is. (newsletter.pragmaticengineer.com)

76 points by jawns 2h ago 31 comments

I'm Peter Roberts, immigration attorney who does work for YC and startups. AMA

128 points by proberts 5h ago 204 comments

When root meets immutable: OpenBSD chflags vs. log tampering (rsadowski.de)

123 points by todsacerdoti 11h ago 41 comments

LibreOffice slams Microsoft for locking in Office users w/ complex file formats (neowin.net)

102 points by bundie 3h ago 63 comments

Hundred Rabbits – Low-tech living while sailing the world (100r.co)

185 points by 0xCaponte 4d ago 45 comments

How to Get Foreign Keys Horribly Wrong (hakibenita.com)

30 points by Bogdanp 3d ago 8 comments

A New Geometry for Einstein's Theory of Relativity (quantamagazine.org)

25 points by jandrewrogers 5h ago 0 comments

HathiTrust Digital Library (hathitrust.org)

51 points by djoldman 3d ago 15 comments

CoCo1 composite video (leadedsolder.com)

22 points by zdw 3d ago 1 comments

The Art of Roland-Garros (garros.gallery)

51 points by pentagrama 3d ago 4 comments

Dear valued user, You have reached the error page for the error page (imgur.com)

150 points by Alex3917 4h ago 31 comments

Psilocybin decreases depression and anxiety in cancer patients (2016) (pmc.ncbi.nlm.nih.gov)

233 points by Bluestein 9h ago 225 comments

DHS: Filming Cops, ICE Officers Is a 'Violent Tactic' (techdirt.com)

65 points by mdhb 1h ago 18 comments

Firefox-patch-bin, librewolf-fix-bin AUR packages contain malware (lists.archlinux.org)

83 points by rrampage 2h ago 76 comments

The Israeli "art student" mystery (2002) (salon.com)

62 points by georgecmu 2h ago 10 comments

Exposed MCP servers across the internet (knostic.ai)

65 points by gepeto42 6h ago 26 comments

Row Polymorphic Programming (stranger.systems)

43 points by todsacerdoti 4d ago 25 comments

Ask HN: Any active COBOL devs here? What are you working on?

211 points by _false 7h ago 160 comments

15 Years of Building Jefit (jefit.com)

48 points by jasong 3d ago 29 comments

Inspect ANSI control codes and escape sequences (ansi.tools)

95 points by webpro 3d ago 47 comments

Fully homomorphic encryption and the dawn of a private internet (bozmen.io)

397 points by barisozmen 16h ago 184 comments

Ring reintroduces video sharing with police (theverge.com)

6 points by 01-_- 1h ago 2 comments

Ask HN: GCP Outage?

78 points by grilledchickenw 4h ago 35 comments

Jandas: A much Pandas-like JavaScript library for data science (github.com)

5 points by mmarian 57m ago 0 comments

Matt Dillon discusses the past, present and future of BSDs (2022) (web.archive.org)

3 points by cnst 28m ago 0 comments

Experts lay into Tesla safety in federal autopilot trial (arstechnica.com)

21 points by duxup 2h ago 5 comments

Getting off US tech: a guide (disconnect.blog)

5 points by DoctorOW 1h ago 1 comments

DIY Telescope Mods That Transformed My Astrophotography (youtube.com)

71 points by karlperera 3d ago 16 comments

TCP-in-UDP Solution (eBPF) (blog.mptcp.dev)

74 points by todsacerdoti 3d ago 19 comments

ICE is getting unprecedented access to Medicaid data (wired.com)

215 points by josefresco 5h ago 223 comments

DuckDuckGo now lets you hide AI-generated images in search results (techcrunch.com)

133 points by moose44 3h ago 52 comments

OpenAI: A $50M fund to build with communities (openai.com)

4 points by OutOfHere 52m ago 1 comments

Extending That XOR Trick to Billions of Rows (nochlin.com)

93 points by hundredwatt 4d ago 17 comments

NIH is cheaper than the wrong dependency (lewiscampbell.tech)

282 points by todsacerdoti 17h ago 183 comments

My favorite use-case for AI is writing logs (newsletter.vickiboykis.com)

241 points by todsacerdoti 20h ago 172 comments

ChatGPT agent: bridging research and action (openai.com)

660 points by Topfi 1d ago 460 comments

NYPD bypassed facial recognition ban to ID pro-Palestinian student protester (thecity.nyc)

264 points by dataflow 7h ago 154 comments

Gmail's backup codes are useless to access account

86 Andrew_nenakhov 83 7/18/2025, 4:32:55 PM
Ok, I have a work account on Gmail. Having the experience of being locked out of Gmail previously (endless loop of "You are entering the correct password but we're not sure that it is you, try again later"), I created a 2fa via Google Authenticator and set up Backup Codes and thought I'm safe from them asking me to sign in on another device or enter sms code (I don't carry that phone with me).

So, one sunny day I decided to add standard iOS mail app to this account, and lo, an hour after connection I get a message, that due to strange activity on my account, I need to enter code sent via sms.

Ok, I don't have that phone with me, so I try to log in with Authenticator, and no, no good: 'we are not sure that it is you, enter code sent to sms'. Ok, I dig backup codes, enter them, and still get 'we are not sure what it is you' message.

What's even the point of allowing to set up Authenticator or Backup Codes if they don't do anything?

If there are some people from Google reading this, please, don't reach out to me offering to help. Just change this dumb system.

Comments (83)

NearAP · 2h ago
It isn't just the backup codes.

More than once, I was in a different country and tried logging into a workspace gmail account. Google flags it as a strange activity (fair enough) and needs to authenticate me. It asks me to enter the complete address for my recovery email (I do this), it sends me a code to use for sign in (I do this) but it still refuses to sign me and says it can't authenticate me. It says I need to sign in from a location that I've signed in from before.

So, for the period that I was out of the country, I couldn't access my email. This happened each time I'm in a new country. My only work around was to sign in to my email (on my laptop) before traveling and not sign out (for security reasons, I don't like to do this).

Something similar happened when I used a new laptop.

I just don't understand this. What then is the point of having recovery email and phone number if you won't use them?

Ezhik · 2h ago
There's a Gmail account I've lost forever because Google wouldn't let me in even after doing 5 factor authentication (password, phone number, code from SMS, backup email, code from email).
ffsm8 · 1h ago
Heh, same for me. (albeit only three factors, but more weren't configured)

It was firstname.lastname@gmail.com that I lost, as I was mostly using my original account with a pseudonym for anything private (was a teen when Gmail started, so didn't think twice about using a cringe username back then).

I had configured the first/last name Mail to forward everything to the pseudonym email and didn't access it again for something like a year... Then I had to respond to someone and... Well, Google never let me access it again.

I eventually gave up on it entirely and switched to a custom novelty domain on fastmail, much much later. (A portmanteau of my last/first name

xdfgh1112 · 1h ago
This doesn't happen for me with regular gmail. I wonder if your workspace had a very strict policy.
NearAP · 1h ago
1) This also happens to non-workspace (regular) gmail accounts

2) I didn't change the policy on the workspace email when I signed up for it

The point is still - why ask me to authenticate via different methods and then reject them after I've correctly authenticated? If some policy is overriding these, then you shouldn't have asked me to authenticate via those methods in the first place.

Andrew_nenakhov · 2h ago
I try to always log in to Gmail via VPN that uses the same IP address from any location.
david422 · 3h ago
I created a gmail account in 2004 and then completely forgot about it. Just last week I realized that I had registered that account. I went to the forgot my password page, and it prompted for the last password I remembered using, which I took a guess at. It told me that wasn't enough information to recover the account, and that was it, because I didn't have a backup phone, email etc. attached.

But then I thought- what if I just try that password to login. And it worked.

So when I thought I had forgotten my password, gmail prompted me for a piece of information that I got correct, and then wouldn't accept it.

I also have another email account that forwards all mail to my main account, but I've definitely forgotten that password, and I have no way to actually get back into that account, even though I've tried. I guess it just forwards mail forever.

roywiggins · 3h ago
> I guess it just forwards mail forever.

Probably not forever:

https://www.npr.org/2023/11/27/1215285876/google-inactive-ac...

nickdothutton · 2h ago
I’d love to see a fully mapped login/auth flowchart with every permutation. New accounts, ancient accounts, accounts with 2FA, without. I bet Google themselves dont even have one now. Remind yourself they are really just an advertising monopoly that does other things as a side project.
politelemon · 2h ago
They for sure won't have one, and various parts of the flow will have been worked on and happy path tested in isolation at different times, so that no googler ever hits the real world cases like OP did. I didn't even say edge cases because they are hit fairly commonly.
tptacek · 8m ago
Since this is a work account, I think this is more between you and your IT team than it is between you and Google.
modeless · 2h ago
If you want to prevent SMS from being used, remove the recovery phone number and/or 2-step phone number from your account. That's how I've had my account set up for many years, to prevent SIM swapping attacks. Just make sure you set up all the other 2-step options.
Andrew_nenakhov · 2h ago
I did it on the account mentioned in post (didn't set TOTP though), and Google locked me out saying "You're entering correct password but we're not sure it is you. Try again later". And I tried and tried and tried, for a few weeks.

Then, after 2 months, I tried logging in and suddenly it worked.

modeless · 2h ago
I would start looking at the networks you are using. You may be unknowingly sharing your public IP or IP block with compromised machines that are part of botnets, which makes Google (rightfully) very suspicious of logins coming from there. I would also definitely get several hardware FIDO2 security keys as Google will likely trust those more than other forms of authentication.
Andrew_nenakhov · 1h ago
That was on my company office network that had a stable IP address for I think a decade. Thing is, Google is now known to randomly become very paranoid and protects you from yourself, and, coupled, with complete absence of any support, often results in full account loss: you have better chances of speaking with the Prime minister of Estonia by calling their office than reach someone from Google.
modeless · 1h ago
How certain are you that none of your printers or visitors' laptops or whatever were ever compromised by a botnet? Or that your ISP isn't also serving customers who are compromised or malicious on IPs adjacent to yours?

A few hardware security keys will probably prevent this problem for you. I'm wondering why you didn't consider getting them after you had login problems before.

Andrew_nenakhov · 1h ago
I don't really think hardware keys (which I have a few, btw) really improve security:

I use a seriously backed up password manager that I have means to access from anywhere, and the only thing I have to worry is that I'd forget my really complex password to access it, because it is unfeasible that I'll lose all my devices where it is backed up and also an off-site backup of it.

With hardware keys, however, I constantly have to worry to keep them with me or in a safe place and not to lose them.

(my position is partially rooted in the fact that I happen to live in a country where you can easily have all your material possessions forcibly taken from you)

modeless · 1h ago
This is about proving to Google that you're secure. Google doesn't know if the password you entered came from a password manager or not. But if you're using a hardware key, they know it's secure.

If you lose your hardware keys, you still have your other 2 factor options, so you are no worse off than your current situation.

SoftTalker · 2h ago
When my bank introduced the option to use TOTP codes instead of SMS for 2FA, I said "Great!" and enabled it immediately. Unfortunately they don't let you remove the other 2FA options. So logging in, I now get three options for 2FA: SMS code, emailed code, or Authenticator code.
modeless · 2h ago
Yes, a lot of places don't let you remove the phone number. But Google does.
fauigerzigerk · 2h ago
True, I deleted mine long ago. They keep nagging me to add a recovery phone number though.
modeless · 2h ago
Yeah I get nagged once every few months, maybe. Easy enough to ignore.
ikekkdcjkfke · 2h ago
So we are at a point where just a strong password stored in memory is actually the safest option (given brute force protection)?
modeless · 2h ago
The safest option is a hardware security key because it is not vulnerable to phishing. And I expect Google to trust it above all other forms of authentication because of that. So anyone who is worried about losing access to their account should immediately buy multiple hardware security keys. You don't have to buy them from Google.
reaperducer · 52m ago
So we are at a point where just a strong password stored in memory is actually the safest option (given brute force protection)?

The safest option is straight out of 1994: Sticky notes.

Security keys can get lost or stolen. If someone breaks into your house or office, they're going after something other than a sticky note in your desk.

valrama · 1h ago
> and lo, an hour after connection I get a message, that due to strange activity on my account, I need to enter code sent via sms.

It's interesting you got that message (via email?) one hour after you successfully signed in on your iphone. Are you sure it was not some phishing email or something? Also are you still logged in on that account or did you get logged out?

mikece · 3h ago
One of the first things I do with all of my Google accounts is set up TOTP authentication and not with Google Authenticator. So far I haven't had any issues getting into an account after not logging in for a while (because my gmails all forward) but I wonder if Google will disable standard TOTP in favor of requiring Google Authenticator (which will be a problem because then I would need to get a separate handset for each account).
Andrew_nenakhov · 3h ago
Google Authenticator is a TOTP client as far as I know, and it can transfer codes to third party clients without problems.

The point of my rant was that with modern day Google, TOTP authentication is not enough.

Eduard · 2h ago
last time I checked (two years ago), Google Authenticator made it horribly complicated to export TOTPs managed by it. It took me an evening and many unsuccessful attempts to get my 10 or so Google Authenticator-managed TOTPs in a format that I was able to import into other open source solutions (eg Authy Authenticator Android app, KeePassX Linux application).

I don't care if things have changed, it was a shit experience. I highly suggest to stay away from the Google Authenticator lock-in danger.

mikece · 3h ago
Google Authenticator, like the Microsoft Authenticator, goes beyond mere TOTP and if you use that (or it's required by Google) then you need an app that can receive a push notification as part of the 2FA. This is the part that would screw up a lot of the consulting work I'm doing with client Google accounts because it would mean getting a separate installed instance of Google Authenticator for each account.
hocuspocus · 3h ago
You're confusing Google device prompts and Authenticator. The latter is indeed a mere TOTP client.

By the way I'm pretty sure the prompts work with as many Google/Workspace accounts as you want.

thesuitonym · 3h ago
I haven't used Google Authenticator, but most authenticator apps allow you to have multiple accounts connected. It would be insane to me if Google didn't.
hocuspocus · 3h ago
Of course, it can hold as many secrets as you want. It syncs them to only one Google account though, but that's irrelevant.
jbombadil · 2h ago
+1!

Please Google let me have a normal TOTP authentication. No SMS, no "open the gmail app on this other device and tap this prompt", no mandatory Google Authenticator, etc.

fauigerzigerk · 2h ago
You can add normal TOTP and delete Google Authenticator. You can also delete SMS. What you cannot do (I think) is remove Google Prompt if you are logged into your Google account on a phone.
bsoles · 2h ago
LinkedIn did the same thing to me after I have enabled 2FA, completely locking me out of all my devices. Then, they asked me to send a picture of my driver's license to a third-party company, who does some kind of validation I guess, to re-enable my account. God, I wish I can delete my LinkedIn account, but it is my only professional visibility to the business world.
mzajc · 2h ago
Google will occasionally brick my account telling me I "didn't provide enough info for Google to be sure this account is really yours". There is absolutely nothing I can do but wait for it unbrick itself after a while, all while not being able to read any mail that comes its way. Support is completely useless.

Needless to say I decided to forward all mail elsewhere. I wouldn't touch Google for work with a 3m pole.

rvnx · 3h ago
It can even escalate to https://support.google.com/a/answer/1110339?hl=en

"Automatically suspended by Google systems for being at risk"

+ This is an automated message. Replies are not monitored.

https://www.linkedin.com/pulse/when-you-get-locked-out-your-...

Good luck.

Andrew_nenakhov · 3h ago
I wonder if there is a way to disable this SMS 'security' antifeature once and for all? I imagine it is a constant nightmare for people who travel abroad and do not always have connection on their number registered in their 'home' country.
FabHK · 3h ago
Indeed. I have a university alumni account that I haven't been able to use for some years because it is managed by Google, and they in their wisdom figured somethings was suspicious (maybe leaving the country or not logging in multiple times a day or cleaning cookies or something else that good patriots don't do).

They're asking for a phone number (so, good to know - if a hacker actually got my username and password, they could access everything Google has on me if they have a fresh phone number, I feel super protected), which I am reluctant to provide, but it still doesn't work.

As you highlight, no support.

Youden · 3h ago
On Gmail: https://myaccount.google.com/security -> "How you sign in to Google" -> "2-Step Verification Phone" -> trash can.

In general, no. I've wondered if legislation would be feasible though, especially given the flaws that have already been shown.

lxgr · 3h ago
To be a person is to have a phone number capable of receiving SMS, at least according to approximately every US company.
vouaobrasil · 3h ago
In my opinion, the #1 way to make Gmail better is to enable forwarding. Then you don't have to deal with their ugly interface, login system, new features, weird compose window, etc....
icedchai · 3h ago
I'm one of the few that likes the gmail interface, I guess. Whenever I'm forced to use Outlook's web interface, I want to vomit.
vouaobrasil · 3h ago
Yeah Outlook is harsh. I was comparing it to a dedicated mail reader like Thunderbird.
fauigerzigerk · 3h ago
Me too. I forward Outlook to Gmail.

Outlook is unusable but harmlessly so. What's worse is Microsoft 365. I simply can't find a way to configure 2FA in any kind of sensible way. Right now it's simply turned off, which makes me very nervous. Whatever I do, it is somehow overridden in other parts of their byzantine and always changing cat herd of admin sites. I'm waiting impatiently for our M365 subscription to expire so we can finally migrate off this nightmare.

midnightblue · 2h ago
Gmail has one killer feature which is the auto-acceptance of calendar invites. to put it better yet, it will put any and all invites and invite-looking things from emails into your Calendar. you still need to mark "yes i will attend" manually. that, as far as i am concerned, is the perfect UX for this workflow. i don't wanna have to create calendar items manually, feels very previous-century.

i tried to migrate from Workspace to iCloud but dealing with the insane OSX Calendar app which not only does not put anything into your itinerary automatically but is liable to just disappear items from the Calendar randomly, put me off so much i went right back to Workspace.

Andrew_nenakhov · 3h ago
That's actually how I use that account, but this time I decided to check how it works with the iOS mail app on new iOS beta with that liquid glass interface.

I even dug out my computer that was logged in to this account in desktop browser, and it too blocks access. Crazy.

robertoandred · 3h ago
Or just use a different email client?
jonathantf2 · 2h ago
From all my years working in IT I've never had a good experience with the iOS/macOS mail app for either Exchange or Gmail, things break constantly. You're much better off using the proper Gmail or Outlook app.
reaperducer · 44m ago
From all my years working in IT I've never had a good experience with the iOS/macOS mail app for either Exchange or Gmail, things break constantly. You're much better off using the proper Gmail or Outlook app.

Very strange. I've been using both iOS Mail and macOS mail with my company's Microsoft Exchange server for almost a decade with zero problems.

I've also been using both iOS and macOS with Gmail on my personal account for close to 20 years across close to a dozen computers and devices, and the only problem I've ever had is when Gmail suddenly decides to let some company bypass its spam filter.

I think I use Gmail's web interface maybe two or three times a year.

jonathantf2 · 16m ago
EXO or on-prem? We see a lot of authentication errors and sync issues, so much so that we block the "Apple Internet Accounts" EA since it stops the users from adding it in the first place on tenants we manage.

One particular well documented issue that first cropped up about 5 years ago that I still see to this day is the spam of calendar invite acceptance e-mails (so much spam that the user gets outbound blocked). Only happens if the user accepts a calendar invite using the iOS calendar client, MS couldn't identify an issue and Apple didn't wanna hear about it.

thibaut_barrere · 3h ago
A bit of a sidenote but: what is a gmail alternative that really works? For instance, spam handling is worse in pretty much any alternative I've tried.

I'm interested in EU-based products first. But they need to handle spam well!

AndersSandvik · 3h ago
I recommrnd Fastmail! Switched to them like 3 years ago. They Are perfect for me. I use masker emails for my domain so i never get spam
barbazoo · 2h ago
It's hard to judge but for me Fastmail seems to be pretty great at detecting spam, at least it always ends up in my Spam folder. False positives are pretty regular, so far never actual human written emails though, only newsletters, but still. Overall for me a set and happily forget kind of service. Support is decent too.
fauigerzigerk · 2h ago
My company used to be on Fastmail. Spam was definitely a problem. It's not EU based either if that matters (although the relevant servers may be).
BoppreH · 3h ago
I'm a happy user of Fastmail. It's a paid service (€5 per month) but that comes with higher standards. The webmail has been pretty good. Barely any spam to speak of (once a week?), even though I have various email addresses in public places.
classichasclass · 3h ago
Another satisfied Fastmail user. We don't pay a great deal for it and the service has been very good. Be the customer, not the product.
lucianbr · 3h ago
Protonmail works in the sense that I can receive and send emails, it's always up when I need it. I don't know how much of the spam is not arriving or being filtered.
fauigerzigerk · 2h ago
Do you have any deliverability issues when sending mails? I find Protonmail interesting and I like the clean UI, but I worry my mails may end up in recipients' spam folder more often.
bsoles · 2h ago
Not the original poster. I use all three Proton domains (pm.me, proton.me, protonmail.com) and haven't had an issue so far.
lucianbr · 1h ago
I have not had any issues so far.
kstrauser · 2h ago
I use Apple's hosted domain service, which is included in the price of Apple One we were already paying for. It's been surprisingly great since I switched my domains to it.
delusional · 3h ago
How do you defined "handling spam well"? What problem did you have with the alternatives you've tried?
barbazoo · 2h ago
They definitely do have regular false positives for me, marking something as spam that isn't. Never personal email though.
paul-tharun · 2h ago
mxroute is pretty good with their spam handling
Tijdreiziger · 3h ago
Soverin
ChrisArchitect · 2h ago
Related/unrelated outage today:

Ask HN: GCP Outage?

https://news.ycombinator.com/item?id=44605732

bpodgursky · 3h ago
There's a button in the admin page for your workspace admin to disable extra security prompts for 10 minutes. Just ask them to help.
Andrew_nenakhov · 3h ago
it's a simple gmail.com account, not a workspace one.
ASalazarMX · 2h ago
I got the same impression as the root comment, since you stated "I have a work account on Gmail". In reality, you have a personal account that you use for work, with the accompanying dismal tech support.

Losing that account is a big risk for your work, paying Google Workspace is an investment in your case.

bpodgursky · 2h ago
Yeah I would really clarify that this is not a "work account" in the way most people would interpret it. I agree OP should be paying for Google Workspace if your income depends on this account.
tkj922 · 2h ago
I don't get it. To me it seems that being locked out of a "work" email is far better (far less worse) than being locked out of a "personal life" one, which probably includes stuff like telecom, utility, insurance, social media being tied to that entity. It is easier to get another job than to "recover" all the other aspects of life
Andrew_nenakhov · 2h ago
To be specific, I use it for a separate Google Play developer account, which Google refused to create on my Workspace account, saying it must be a regular Gmail account. (They also restrict Workspace accounts from some Google Play functions like rating the apps and leaving reviews).
jeffbee · 3h ago
None of these things is a saving throw versus suspicious login detection. It's for the safety of your account. Wait an hour or two, or resolve the reason for the suspicious activity if you may have caused it (VPN, for example).
tczMUFlmoNk · 2h ago
VPNs are a wholly legitimate way to use the Internet. The onus should never be on a legitimate user to disengage measures that they've taken for their privacy and safety.

In this case, the user has already authenticated with three factors(!). Framing potential VPN use as "suspicious" normalizes a more locked down, surveilled web with fewer rights for humans. We shouldn't be pushing that direction.

a2128 · 2h ago
Using a VPN is not even the suspicious part. Using a public network (e.g. hotel Wi-Fi) can make you equally suspicious, in that case you would actually need to have a VPN to your home network to erase suspicion. So it's not about using VPN, it's about not making yourself easily trackable and surveillable
jeffbee · 1h ago
I don't know for sure but I personally doubt that hotel wifi has the same strength as a suspicion signal that VPN exit nodes have. Some normal users use global VPNs. Every criminal uses a global VPN. That is the problem.

Also, just to point it out, logging in at all is a bit suspicious. Normal users rarely do it. You authenticate to Google on your mobile and that's it, you never do it again.

All lot of these other comments are talking about policy and principals but I am just trying to help the OP by taking their question at face value. Their goal seems to be to login to Gmail.

MintPaw · 2h ago
While I agree in this specific case, in general, the idea that privacy and safety measures trump all other factors is poorly thought out. What if, for my privacy and safety, I don't want to log into my account to view a specific piece of content? It ignores the reality and impacts of bot activity. And like, what if you paid the for the content? Obviously you have to sign in to view it.

Although maybe you didn't mean to make such a strong statement.

jeffbee · 2h ago
And with a workspace account you can express that preference to Google. But the fact remains that 99.5% of the people who suddenly switch their login traffic from US to Romania or whatever have been hacked and your aesthetic beliefs about supposed rights strongly conflicts with what humans actually want.
beeflet · 2h ago
>But the fact remains that 99.5% of the people who suddenly switch their login traffic from US to Romania or whatever have been hacked

Why wouldn't a 2-factor or a recovery email sent to another address be enough to refute this?

If you can hack someone's device, it's not that much more difficult to tunnel the connection through a residential VPN. If you can't hack their device, then you can't get 2-factor codes or access their other accounts.

beeflet · 2h ago
Why should my login be tied to my IP address, which gets randomly re-assigned instead of a secure TOTP tied to my device? What if I'm in a foreign country and I need to check my email? My account has been totally secured ... against me!

Not only is the email protocol (SMTP) an unreliable transport now due to spam filtering, but the actual login interface (IMAP) is also unreliable! Not that this will actually accomplish anything. Spear phishing and spam campaigns seem to be ever-present.