A situation occurred in which Google arbitrarily disabled the two-factor authentication device 'YubiKey' for 'safety'

Passwords for logging in to web services and accounts can be stolen due to information leaks due to data breaches, no matter how complicated they are. However, if you set up two-factor authentication , you won't have to worry about logging into your account even if your ID and password are leaked. A device that can easily introduce such two-factor authentication is `` YubiKey '', but a person who used `` YubiKey '' with a Google account said, ``Google deleted the YubiKey used in the account without permission. It is reported that

Google removed my Yubikeys from a google account 'Just to be safe' | lunnova.dev
https://lunnova.dev/articles/google-just-to-be-safe/

Smartphones are equipped with functions such as fingerprint authentication and face authentication as a matter of course. It is 'YubiKey'. It's easy to use, and GIGAZINE has reviewed 'YubiKey 5C NFC' equipped with USB Type-C and NFC in the past.

Physical security key 'YubiKey 5C NFC' equipped with USB Type-C and NFC that can be used on smartphones and PCs Review - GIGAZINE

In addition, Google, which handles highly confidential information while having many employees around the world, reported that the introduction of `` YubiKey '' has drastically reduced the phishing damage of employees.

What is the latest high security countermeasure law that eradicated phishing damage of Google employees? -GIGAZINE

On December 26, 2022, Luna Nova , an engineer who tried to open YouTube Creator Studio by logging into a Google account that she has been using for a long time, was forcibly logged out of her Google account and an error page was displayed. It seems that he encountered a situation where he was. So when I tried to log in to my account again and inserted the YubiKey used as a two-factor authentication device into the terminal, the password was forcibly reset and the following message was displayed.

When I opened the Gmail setting screen according to the instructions on the screen, Nova noticed that the mail forwarding rules that had been used for several years had been deleted. After that, when I accessed YouTube Creator Studio again, I was forced to log out of my account again and was asked to reset my password. Furthermore, at this time, as ``for safety'', you will be notified that all ``two-factor authentication settings'', ``security keys'', and ``recent settings changes in Gmail'' have been forcibly deleted. .

Nova criticizes Google's response, saying, 'Removing a two-factor authentication device from an account without a request from the user is the worst reaction to suspicious activity.'

The mysterious behavior of this Google account has become a hot topic on bulletin boards and Hacker News . One expert said, 'Google typically makes changes like Nova's experience when they believe someone else has access to their account and made some changes. or change account recovery methods to keep legitimate users away from accounts, so removing two-factor authentication devices is unreasonable It's not something,' he said, understanding the response on the Google side.

On the other hand, it is unclear why this kind of action is taken only when accessing a specific service like Nova, and there are multiple voices saying that there may be some kind of bug in the logic. I was.

In addition, since there is no detailed explanation from Google at the time of writing the article, why is Mr. Nova's Google account forcibly logged out when opening YouTube's creator studio, and the setting of the two-factor authentication device is deleted? It is unknown whether