What resource can Doreen go to at Google to get access to their accounts if Google’s security algorithm is requiring access to devices or authenticators they no longer have? I’m trying to be reasonable, but all I see is a tech company who enforces strong security practices with no exception handling. Great for Google and keeping costs down from an infosec and customer service perspective, but highly detrimental to those who lose what is very valuable to them (their emails and digital identity), and humans will lose valuable items (including devices, authenticators, and recovery codes) all the time.

I don’t expect for us to solve this here, and I’m sure my perspective will differ substantially from those affiliated with Google or tech professionals in general (who don’t fully internalize the layman’s experience). I do believe I’ve provided sufficient evidence this is a real problem, and it’s likely going to require federal statute or FTC guidance to require tech companies to recalibrate their customer service and infosec ops around access and identity.

Regardless, I appreciate the discourse on this topic.