Does that really work? If it was me doing this (NB: I would hate this as a user): I would retrieve the signed token from Google server-side, check whether it's true or false, and remotely lock out the account so it can't be signed in from any phone until you call customer service.