Being locked out of a Google account is a desolate modern nightmare. Amid forgotten passwords, misplaced phones and phishing fallout, recovery can seem opaque and unforgiving. Now, Google is bringing out two new options that take the edge off returning to service a little bit — albeit by more tightly locking down identity verification under the hood.
What’s New in the Google Account Recovery Process
First up, Google is adding Recovery Contacts, which will make it possible for you to assign one or more trusted friends or family members who can help you recover your account if you ever lose access to it. Call it a reliability backstop: You preapprove people you trust, and if things go wrong they help ensure that you’re really the “you” that you say you are. The feature is in the Security portion of your Google Account settings.
Second, Google will allow users to start recovery with a mobile phone number, then confirm using the lock screen passcode of the linked device. Rather than using easily intercepted SMS codes, the system knows which accounts are tied to that number and requests the device’s passcode in order to validate itself. Google says it will be rolling out slowly worldwide.
How Recovery Contacts Lower Friction for Account Access
Account recovery fails when signals are too weak or out of date — old recovery emails, dormant phone numbers or devices we no longer have. It tightens that chain with Recovery Contacts. It’s similar in concept to Apple’s Account Recovery Contact, and is a new take on the “trusted contacts” some platforms have trialed previously.
Done right, it’s an effective mix of convenience and risk. You select your contacts ahead of time, Google handles the verification process and no one has to have access to your passwords or codes. The best practice is to choose two or more people who can be reached, are tech-savvy enough to answer quickly and are not all in the same household. That lowers the likelihood that any one thing — travel, a lost phone, a targeted fraud scheme — takes all options offline at once.
Why a Phone Number Plus Passcode Is More Intelligent
Recovery methods that are based solely on text can be circumvented with SIM swap fraud or number recycling. By adding the lock screen passcode (knowledge factor) from the linked device to a known number, Google adds something you have (the described device) to something you know. On an up-to-date Android device, that passcode protects cryptographic keys stored in a secure enclave, significantly frustrating the efforts of those who would directly brute-force their way in.
(What’s crucial is that if a phone is stolen, the thief would still have to know your passcode in order to clear this check.) On the other hand, if you lose control of a device but can remember the passcode, you have a way to verify your identity without waiting on carrier updates or gaining access to email that you may not be able to obtain. It’s a pragmatic measure that brings recovery in line with the security model we employ for day-to-day sign-in.
Security Context and Real-World Stakes for Users
Account recovery is where usability and threat defense meet. Nearly all compromises begin with stolen or phished credentials, and email accounts are favorite targets because they unlock password resets across the web. Google has stated that Gmail blocks well over 100 million phishing attempts per day — the tip of the iceberg when it comes to what users contend with. Independent reporting from agencies such as the Federal Trade Commission shows that identity-related complaints are still measured in millions on an annual basis, reinforcing the necessity for more powerful authentication and easier recovery.
These updates fall in line with wider shifts taking place within the industry: FIDO Alliance-supported passkeys to replace passwords, risk-based authentication, and better user education. Alongside the recovery changes, Google is also advertising a new learning tool called Be Scam Ready, a game-like experience that guides people through scenarios of common fraud — a useful context for when social engineering can be what tips over domino number one.
What to Do Now to Strengthen Google Account Recovery
Create a Recovery Contact in the Security settings for your account and inform those contacts that you’ve listed them. Check that your recovery email address and phone number are up to date. If you have no choice but to use a single phone, think about using a secondary number or a security key for backup.
Enable two-step verification if you haven’t already — and consider stronger methods like app prompts, security keys or passkeys in lieu of SMS by itself. Keep the backup codes in a safe place. Finally, go over your list of devices and get rid of any you’re not using: it all helps Google build the picture of the signals that suggest a genuine recovery attempt.
The pitch here is simple but meaningful: when things break, you will now have more means of demonstrating veracious ownership — without needlessly wasted efforts.
For anyone who essentially lives and works inside a Google account, that amounts to a welcome reduction in stress where it matters most.