The recovery feature allows trusted contacts to assist you in regaining access when other methods don't work
The newest security update for Gmail allows users to regain access to their accounts with assistance from their contacts.
Google now enables its users to designate trusted friends and family members, whose accounts can be utilized to obtain recovery codes when other methods are not feasible.
It follows as the technology leader keeps encouraging its users to move towards passkeys, a method it has long considered the future of account verification.
The problem with passkeys is that individuals often misplace their devices. For instance, if a person loses their smartphone, they may not be able to quickly access their other email accounts or receive SMS messages containing one-time codes, which could result in them being unable to access their email.
After a reliable recovery contact is established, users can choose which one they want to assist in retrieving their account access. The user will send them a code. They will receive a notification prompting them to aid in the recovery process and confirm the request is legitimate by using the code the user shared.
Confirming the request depends on code-based verification. The recovery contact will be shown three codes and must choose the one the user gave them.
Google suggests that users select individuals who are likely to respond within 15 minutes of a request being made. Once 15 minutes have passed, the request will no longer be valid, and the user will need to either send a new code to the same contact or choose someone else.
It's also important to mention that these reliable contacts must have a solid understanding of cybersecurity.
Although it is improbable, considering the complexity of the process, the trusted contacts recovery feature might potentially be misused by skilled social engineers to access an account, provided the contact fails to recognize a fake.
For instance, imagine an attacker initiates an account recovery procedure and sends a code to a trusted contact through a compromised method, like an unfamiliar phone number they pretend is their friend's, or a fake email address. In such a scenario, there's a chance that an account might be illegally taken over if the contact is deceived by the trick.
Nevertheless, Google continues to implement extra measures to stop such attacks from occurring. It will examine the device's history, location, and IP address to assess the reliability of the recovery attempt, and may ask for additional verification before approving it.
Google also mentioned in a support article that even if the recovery contact approves a request, the account might still be placed on a security hold, giving additional time for the actual owner to confirm if the attempt was legitimate or not.
Each user may select as many as 10 recovery contacts per account and can serve as a recovery contact for 25 others.
Employers' Google Workspace accounts are not eligible for this feature. We tested it but were only able to get it working on personal Gmail accounts.
Google did not include it in the press release, but users who are part of its Advanced Protection Program and Google Workspace accounts are unable to set trusted recovery contacts, although they can be utilized to recover other accounts.
You are also unable to use a child's account for recovery, and they cannot add trusted contacts either.
Passkeys represent a significant move toward a password-free future," Google stated. "Recovery Contacts provides an additional trusted and secure choice alongside our current tools, assisting you in regaining access when other methods are not feasible.
"Recovery Contacts are now being introduced. We understand that losing access to your account can be worrying, and we are working on new methods to make recovery more reliable, while maintaining Google's strong commitment to privacy and security." ®