How Likely is Losing a Google Account?
|January 29th, 2023|
To get a sense of how common lockouts are and how they happen I looked through lockout reports on Hacker News by searching for [google blocked account] and [google locked out]. I looked at top-level stories and the comments on them for cases where people were entirely locked out of an account; I didn't include cases where people lost access to only some Google services (Payments, AdWords, etc) or where they did get back in on their own. I did count cases where it took making a lot of noise on HN or Twitter, though.
There are two reasons people seem to get locked out:
Security lockouts: they're not convinced you're you, and are trying to prevent an attacker from getting into your account.
Policy lockouts: they don't like you. They've flagged your account as abusive, enough that they completely suspend your account.
I found 32 cases (sheet), going back to 2008. I found 22 security lockouts, 7 policy lockouts, and 3 with too few details to tell. I think this likely majorly undercounts security lockouts relative to policy ones: reading the comments, a lot of the security ones were like "that happened to me too" while the policy ones got mainstream news articles. 
With the security lockouts, in cases where you could tell what had happened the most common reason was that someone had configured a backup method (phone number, recovery email, 2FA) but no longer had access. The second most common were cases where someone hadn't configured any backup methods and Google was considering their login to be suspicious.
Security lockouts are a tricky situation because failures in either direction are very bad. All of the above are false positives: people who should have been let back into their accounts but weren't. But there are also false negatives: cases where an attacker was let into someone's account.
There is a question of whether Google should be flagging suspicious logins at all, though. If my account were protected only by a password and someone else got it, maybe Google should just let them in? The problem is that this would mean lots of hacked accounts: it's common for passwords to get revealed through phishing or cross-site password reuse. Using other aspects of your login, like your country, device, activity pattern, etc. as a kind of pseudo-2FA probably does make things better for users overall: if my username and password suddenly appeared from a new device in Russia there really is a good chance that it's someone trying to hack me. Luckily, users have a better option: opting into tighter security by setting up good 2FA. The more ways you can demonstrate that you are actually you, the lower the risk both of hacks and lockouts.
After going through these, it seems to me that the likelihood of a security lockout is low enough not to worry about if you:
In addition to memorizing your password, write it down and store it in a safe place. This is also worth doing if there's someone you want to have access to the account immediately if something happens to you (the Inactive Account Manager is also good, but it reasonably has a substantial delay).
Configure backup methods (phone, email).
Update backup methods promptly when they change. You can see what you have configured at myaccount.google.com/security.
Ideally, set up security keys for two-factor authentication, and if you do set up three (work, home, keychain or phone).
What about the policy lockouts, though? I think the risk there is also very low: these are rare enough to be newsworthy when they happen, even if they don't happen to anyone previously well-known. I put a little effort into avoiding grey areas (not filing chargebacks to Google, not taking pictures of my kids in the bath) but otherwise don't worry about this.
Even if the risk is low, however, maybe it would still be better to switch to something else that is even lower risk? The problem is that security and policy lockouts are something you can find with any service. For example, in HN discussions people will often recommend Fastmail or Protonmail, but they've had their problems too (FM: 2017, 2020, 2022, PM: 2018, 2019, 2021). Especially given that these are much smaller services I'm not convinced that the risk is lower there. Any system is going to have to handle this sort of problem, and you're not going to find one that never has false positives.
This is not to say these companies can't do better here: without the outrage when they make a bad call I expect they would invest somewhat less in trying to make good calls. And if a provider does give a consistently worse experience than other options migrating makes sense. But after looking through the reports above I'm comfortable with the level of risk involved in keeping my Gmail account as primary.
(Disclosure: I used to work at Google, though not on anything related to this.)
 In this comparison I'm ignoring "true positive" lockouts where someone was correctly denied access to an account. This includes both true positive security lockouts (where someone else is prohibited from getting into your account) and true positive policy lockouts (where someone loses their account for legitimately abusive behavior like blatant spamming). There are likely tons of both of these, and their relative frequency isn't very important.
Comment via: facebook, lesswrong, hacker news, mastodon