Recently I’ve been evaluating and documenting how Google performs account security.
With 1 billion user accounts, Google needs to strike the right balance between security and usability: if the security is unusable, it drives too many support requests; if the security is lacking, it drives too many unauthorized account takeovers.
I recently wrote a blog praising how they implement two-factor authentication (2FA). Essentially they take a self-service approach, empowering people to enroll and manage multiple strong credentials to secure their account.
It got me thinking about password reset when 2FA is enabled. That is, what happens if you are in possession of all your strong credentials but forget your password?
Well, I decided to do a bit of testing.
Google PW reset
When kicking off the password reset workflow the first thing I’m asked for is “the last password you remember using with this Google Account.”
A little strange since the reason I’m here is because I forgot my password, but I give it a shot and enter a random password. Either I got it right or it doesn’t matter because the process continues and I’m prompted for one of my 2FA credentials–a U2F security key.
I insert my trusty blue Yubikey and pass authentication.
Now I’m prompted to confirm the phone number I provided in my security settings.
No problem. Entered, and clicked Next.
Now I’m asked to confirm the Month and Year I created my Google account.
Well… I’ve had my Google account for a decade or longer and have no idea when it was created. I enter values that are likely incorrect. It doesn’t seem to matter and I’m moved along to another form requesting an email address I can “check now.”
I enter an address and receive an email with a one-time passcode (OTP)–note, it doesn’t seem to matter which email address is entered, the OTP is sent every time.
I copy and paste it into the form and am finally taken to a page that tells me “the Google Accounts team will review your info and get back to you within 3-5 business days.”
So 5 steps later, still no ability to reset my password.
As far as I can tell, it doesn’t matter what information is entered or which 2FA credentials are presented to prove ownership over the account. All scenarios I tested result in the same page.
GitHub PW reset
By contrast, let’s take a quick look at how GitHub handles the same PW reset flow.
I have a GitHub account secured by U2F keys and OTP apps (same as my Google account). I go through the PW reset flow, offer the email address associated with my account, and receive an email with a link to reset my password. I click the link and am taken to a page requesting one of my 2FA credentials. Upon passing the authentication I’m able to reset my password.
Pretty straightforward, pretty secure.
So two large, consumer-facing Internet services offering very similar account security features but taking very different approaches to account recovery.
Google’s process seems totally broken and unfit to handle 1 billion users.
GitHub’s seems to offer the right balance between usability and security.
What do you think?
Subscribe to Get News and Product Updates
our RSS Feed