June 17, 2021

"Bad Authentication" error during login (blocked Google account)

I have recently been getting a few support requests about a "Bad Authentication" Error when logging in with Raccoon.

It looks like Google is on war path at the moment, trying to weed out bot accounts and causing collateral damage in the process. The thing to understand about Google accounts is that they are dual use:

  1. to track user activity (what websites are watched, what apps are used, where is the user,…?) to show them interest and location based ads.
  2. to give users access to purchased digital goods.

Google has every interest to ban non-humans users (botnets) and to make sure that only legitimate account owners can log in. Hence, during logging in, a lot of scrutiny is applied that extends far beyond merely checking if username and password match. Some additional factors that are considered include:

  • Is the user logging in from his usual IP address? If not, the account might have been stolen.
  • Is the user logging in from the residential pool of IP addresses of a local telco? If not, the account may be used by a bot net.
  • Is the user logging in from his usual device? If not, the account might have been stolen.
  • Was the account created from an IP subnet with high botnet activity? If so, it may be a new bot, too.
  • Did the user provide a telephone number? If not, it might be a bot account.
  • Was the account recently used to send SPAM through Gmail? It might have been taken over by malware.

Every login attempt will trigger an alarm or two (e.g. when buying a new phone or moving to a different city). That is not a problem, unless the sum of the alarms (or more precisely: their severity) crosses a certain threshold, after which actions are taken.

Raccoon trying to log in a (temporarily) disabled account.

If Google comes to the conclusion that a login attempt originates either from a non-human or from someone who is not the legitimate account owner, one of two actions are taken:

  • Any further login attempts from that specific device and subnet are blocked and the account owner is sent an email about a potential break in.
  • The account gets disabled altogether.

Dealing with blocked login attempts

Blocked login attempts typically happen after mundane things like moving to a new city, switching ISPs, roaming between WLANs, going on holiday or buying a new device. They are fairly trivial to deal with.

Note Android devices are permanently logged in, after being connected with an account. Therefore it is usually no problem roaming between different WLANs, unless the device's session expires and it has to (auto) log in on a foreign network.

Simply log in to the account manager using your webbrowser. Navigate to the login history, it will show a list of failed attempts. Confirm that these were yours and you are good to go.

Dealing with disabled accounts

If the previous method doesn’t solve the problem, the account may have been disabled. In this case, use DummyDroid to confirm (it has better error reporting than Raccoon). If the account has been disabled, it will give you an URL that you have to copy&paste to your browser (Google Chrome would be the preferred choice) in order to start the recovery process.

Sadly, Google’s account recovery is a fully automated process and there is no way of reaching a human being to look into matters. However, there are a few things you can try to improve your chances for getting yan account unblocked:

  • Make sure, there’s a telephone number registered to your account (do not use phone number from a “receive free SMS” website. That’s what a spammer would do and will likely get your account flagged from the get go).
  • Use Google Chrome (preferably on Android) for account recovery. Google uses an elaborate piece of JavaScript for doing its “friend or foe” detection and their own software is more likely to pass.

In case you still run into an endless loop, give up. The account is lost for good. Google just avoids telling you so because a final decision would mean opening the way for a legal path.

Browser login possible; Raccoon login not

For yet unknown reasons, Google sometimes fails to recognize Raccoon as a genuine Android device. In this case, the workaround is to pose as a legacy email client. Login with your webbrowser, go to your account settings and create an “app specific” password for using with Raccoon. NOTE: you have to enable two factor authentication for doing this.