Sorry, couldn't resist. Shameful self-promotion, but this is why companies shouldn't implement their own two-factor authentication. Getting everything right is hard and chances are that you aren't reading or informed of the latest attacks.
At Authy we are obsessed with Two-Factor Authentication and spend a huge amount of time looking at whats happening in the ecosystem, which new attacks do we need to be aware of etc. It might look easy to build a quick two-factor authentication system, but history will repeat itself, and like passwords we'll see lots of bad and insecure implementations because its harder than what people think.
I appreciate startup self-promotion as much as the next guy buuuuuut are you saying multi-hundred billion dollar internet companies shouldn't implement their own 2f auth? they should instead trust the security of their hundreds of millions user to you? Really?
I think Authy is saying that even multi-hundred billion dollar internet companies get it wrong, that's how hard it could be to properly build 2-factor. Don't try it yourself, use us.
I get it, what I'm saying is, if you're a multi-billion dollar internet company whose business it is to manage hundred of millions of users, you should keep security in-house, and get it right instead of outsourcing it to a start-up.
I think specifically what they're saying is 'If even Google can get it wrong, then you should seriously reconsider implementing it yourself if you need it. That said, we know a lot more about it than most people and you can trust us more than you can trust something you build yourself.'
Assuming you aren't compromising someone's account that was left logged-in or a stolen phone:
Note down all information about the account creation, frequent contacts, services used .. basically all dashboard data and then contact Google. If you have a secondary recovery address, that's even better.
The point is that the company is dedicated to it, and they can't slip up or they outright lose customers, so they're more likely to pay attention to risks and the state of the art in multi-factor authentication.
At Authy we are obsessed with Two-Factor Authentication and spend a huge amount of time looking at whats happening in the ecosystem, which new attacks do we need to be aware of etc. It might look easy to build a quick two-factor authentication system, but history will repeat itself, and like passwords we'll see lots of bad and insecure implementations because its harder than what people think.