The Register

Locked out of your Gmail account? Google says phone a friend

The latest security feature for Gmail enables users to recover their accounts with a little help from their friends.

Google is now allowing its customers to select trusted friends and family members, whose accounts can now be used to retrieve recovery codes in cases where other means aren’t available.

It comes as the tech giant continues to nudge its user base toward passkeys, which for some time now it has viewed as the future of account authentication.

The issue with passkeys, however, is that people routinely lose devices. When they lose their smartphone, for example, they can’t immediately access their other email accounts, or SMS messages for one-time passcodes, potentially leaving them without access to their email.

Once a trusted recovery contact is set, users can select which one they would like to help them regain access to their account. The user will share a code with them. They will get a notification to help with the recovery, and verify the request was genuine using the code the user provided.

Verifying the request hinges on number-matching authentication. The recovery contact will be presented with three codes, and they have to select the one that the user provided them.

Google advises that users pick people they know are likely to respond within 15 minutes of a request being issued. After 15 minutes, the request will expire and the user will either have to issue the same contact a new code or pick a different contact.

It’s also worth noting that these trusted contacts should possess a strong sense of cybersecurity awareness.

While unlikely, given the steps involved in the process, the trusted contacts recovery feature could feasibly be exploited by sophisticated social engineers to gain access to an account, if the contact themselves isn’t wise enough to spot a spoof.

Say, for example, an attacker begins an account recovery process and passes a code onto a trusted contact via a compromised channel, such as an unknown phone number they claim to be a friend’s, or a spoofed email account, then there is the possibility that an account could be maliciously taken over if the contact falls for the ruse.

However, Google still deploys additional checks to prevent attacks such as these from happening. It will look at the device’s history, location, and IP address to determine the trustworthiness of the recovery attempt, and potentially require further verification before it is approved.

Google also stated in a support article that even if the recovery contact approves a request, it may also still put the account on a security hold, allowing extra time for the real owner to verify whether the attempt was genuine or not.

Each user can choose up to 10 recovery contacts per account, and be a recovery contact for 25.

Employers’ Google Workspace accounts aren’t eligible for the feature, however. We tried it out but could only get it working on personal Gmail accounts.

Google didn’t mention it in the press release, but accounts enrolled in its Advanced Protection Program and Google Workspace accounts can’t set trusted recovery contacts, but can be used to recover other accounts.

You also can’t use a child’s account for recovery, and they can’t add trusted contacts either.

“Passkeys have been one big step toward that password-free future,” Google said. “Recovery Contacts adds another trusted, secure option on top of our existing tools, helping you regain access when other methods aren’t available.

“Recovery Contacts are rolling out now. We know losing access to your account can be stressful, and we are continuing to work on new solutions to make recovery more dependable, while continuing to uphold Google’s high standards for privacy and security.” ®

READ MORE HERE