No, Google and Microsoft, it's really me

c: | f: /

Paranoia about online security is rife. But when safeguards are put in place, it helps to scope out how people might use them first.

I was roaming today on a public network and, because I’m reasonably security-minded, was using a VPN on the laptop. I’d picked Germany as my host nation as it’s reasonably nearby. Thus, as far as any websites I visited were concerned, my encrypted traffic came from a server in that country.

And that’s where the trouble began.

I wanted to access my gmail account. So I spun it up and logged in, to be greeted with the dreaded Suspicious Activity splash page. Google, among others, have taken it upon themselves to add this so-called security feature that lets me know any time my account is accessed from a location I don’t “usually” log in. The problem is — at their discretion — they can lock me out of my account until I enter a verification code to prove it’s me.

There are a variety of ways to satisfy Googlesville, the primary ones of which are:

  1. A code sent to my phone. No thanks. I don’t want Google having my mobile number and two-factor authentication is NOT necessarily security.
  2. An email sent to my “alternate address” that I set up at account creation time.

Brilliant, option two it is. click. Now I just need to log in to my hotmail account to retrieve the code and unloc… uh-oh:

Help us protect your account: We’ve detected something unusual about this sign-in. For example, you might be signing in from a new location, device or app.

Screeeeeeech. So in order to retrieve my code I need to verify my identity in Hotmail too. Great. The same two options are available and I choose to have the code sent to my alternate email address. That’s one of my throw-away email forwarders. And no prizes for guessing where that mail address forwards to:

Yep. Gmail.

(incidentally, stupidly. I know I shouldn’t daisy chain accounts, but at the time of this event, that’s what I did. I changed that).

With the very real prospect of being caught in a recursive loop, I swore profusely at both companies’ approach to security and switched off the VPN whereby I was permitted to log into one of the services. But not the other, because it deemed my roamed location in the UK was “not normal”. Of course it’s not normal: I’m on the move! You know, mobile. Like everyone else.

Fortunately I was in a position to be able to break the cycle, but if I was in a foreign city for the first time, how would I access my account? Unless I can pre-approve the location or happen to have a VPN endpoint in my home city that I can use to fake where I am in the world, thus pretending I’m back home in my trusted location, I’m out of luck. It’s not like I would even be able to admit defeat and set up 2FA while on the move because I can’t prove my identity to access the account. That kind of thing needs to be done from my “safe” house. Aaaargh!

This whole debacle can be avoided. Allow me to temporarily turn off the location-based detection service before I go and let me log in from wherever the hell I like, or let me nominate that I’ll be roaming in advance and say where so it doesn’t look “suspicious”. Google and Microsoft et al: please spend your countless millions on improving my experience and educating people in the art of using excellent, secure passwords instead of pandering to stupidity with half-baked solutions.

6 muppets gave a toss

    Anon

    I think the “suspicious activity” heuristics might be more nuanced that you give it credit for Stef.

    If you were actually in Deutschland, you probably wouldn’t have triggered it.

    You were accessing Gmail from an IP address probably known as a proxy however, and proxies are favoured by nefarious deed-doers.

    Stef Dawson

    @Anon: Thanks for the message. Normally I’d agree, and I truly would like to believe that the heuristics are cleverer than I made out. But given that I wasn’t even allowed to log in to one of the email services from a different UK-based location (even after the VPN was switched off), I concluded that the feature was not as well implemented as it could be.

    The system is ill-optimised for a number of use cases:

    1. Phones. Solely using a phone for browsing prevents sign-in alerts from “other devices” and “other locations” (providing you use the mobile carrier for data). But it probably wouldn’t prevent geographical alerts when hopping between Wi-Fi routers, as that would defeat the point of the check if a phone was stolen. With 2FA being seriously flawed, it’s not much security anyway.
    2. Desktops don’t move unless stolen. But web developers install multiple browsers for testing sites on, and may log in from different browsers, which trips the security feature with a “soft” alert (presumably only because the request comes from the same IP). What’s the point of this notification?
    3. Laptops/tablets suffer the same problem as phones to a degree. Visiting a different (geographically significant?) place with your device will trigger an “other location” alert. Whether it locks you out until verified is up to the direction of the prevailing wind.

    In all location-based cases, what constitutes “geographically significant”? Will the system help if someone steals a phone/laptop/tablet and runs a few streets away so you’re covered by the same network or provider?

    I still say the ‘feature’ is ill-conceived, but take on board the point about VPNs. Though why they are still deemed only of broad use to evil-doers instead of as general privacy-enhancing tools for the common person against the relentless government / corporate invasion, is down to the media (and a separate topic for discussion, no doubt).

    Ken

    I hope it posts this given an email address is required and I can’t access my webmail accounts because of the exact problem the author wrote of, and I am plenty p.o.‘d about it.

    If this even posts, can someone give a URL of a super low security email site that I can use once I get home that I can know I always can access as my secondary email address? One that will not lock me out because it deems my location suspicious?

    There is always atradeoff between security nd convenience. I wish to choose convenience, and these paternalistic companies need to allow me to do so!

    Stef Dawson

    @Ken: Thands for reading, and I hear your frustration. I’ve had a good experience in the past with GMX. Though that was in the past, so they might have upped their security game since then.

    If you don’t mind paying a little for your email I can thoroughly recommend FastMail [1]. I’ve recently binned Gmail and switched over to them and love the control I have over my mail now. They offer a free trial (where you can’t send mail, only receive, unless you register a mobile phone number with them: I didn’t do that). If you don’t want to host a custom domain name, their Lite package is only $10 a year, which isn’t bank breaking.

    I haven’t stress tested the FastMail security triggering protocols (if any) yet, but I have logged in from multiple locations, including on mobile up and down the country, without issue so far.

    Hope you find a provider that suits you.

    [1] For full disclosure, this is a referral link so if you sign up for a plan higher than Lite, I’ll get a few bucks bonus. But this in no way sways my decision to recommend them. I honestly do rate them highly, so feel free to remove the referrer portion of the link.

    Ken

    It’s been a while, but just got a new computer and had some sign-in challenges due to that alone, so I just made a Fastmail account (I used your referral link).

    I’m still in the trial period, but Outlook not only has these damn challenges (though Google is actually far worse), but it does an awful job of spam filtering.

    Thanks for the info, and I’ll see how it goes.

    This extra forced security is horrible.

    Billy

    It is damned annoying to say the least.
    Sat in an airport trying to retrieve a booking reference from your hotmail account which has decided you are not sat in your own livingroom and therefore need to jump through hoops to login.

    I think the answer is to dump these useless free email accounts and pay for a similar service. At least you are justified in complaining when a service you have paid for starts bu**ering you about. Neither m$ or google give a sh*t about you or your email, so long as they give the service away, you have no recourse.

    Rant, rant, rant…

Comment please

(required)

(required, never made visible)

(optional, linked with rel="nofollow")

(required)