On May 27, 2015, at 8:09 AM, Harald Koch <chk@pobox.com> wrote:
On 26 May 2015 at 11:32, Alex Brooks <askoorb+nanog@gmail.com> wrote:
Can you not set account recory options which change the way password reset requests are handled. https://support.google.com/accounts/answer/183723 Gives some guidance?
Alex
Unfortunately, setting these options does not disable the separate "account recovery form" listed at the bottom of the page, and it is this form that allows you to login with any previous password and to bypass 2-factor auth.
I must admit I was surprised by this when I tried it just now. I guess it's time to rethink using Google as a primary account...
According to this page, the 2-factor authentication does kick in when you finally try to reset the password. http://webapps.stackexchange.com/questions/27258/is-there-a-way-of-disabling... <http://webapps.stackexchange.com/questions/27258/is-there-a-way-of-disabling-googles-password-recovery-feature> “… I was presented with an emailed link to a reset page. When I clicked that link, since I have two-step verification set up, I was presented with a demand for a number provided by the Google Authenticator app on my phone. I provided that number and only then was I allowed to reset the password.” AK