Tomas Vik

What would you do if you lost your Google account?

I was reading horror stories in the past about people getting locked out of their Google accounts. If you are anything like me, half of your digital life is stored in Google. Losing access to all this data would be traumatic at best.

In this article I’m researching what happens when you forget your password or lose your phone. What information will Google want to know about you and how can you best prepare for this situation so you don’t lose access to your account completely.

Theme illustration

“Illustration” by Ljubica Petkovic

I’ve been using the same Google account for the last 12 years1. And to be honest, I’ve never changed the password and never turned on the 2-Step Verification2 because I was afraid that I’ll lose my phone or forget my password and I won’t be able to access my account any more. I think this is not sustainable, so let’s have a look at what happens when you forget your password or you lose your phone.

Google is using the following two steps to authenticate you:

  • 1st step - Password (mandatory) - To prove that it is really you, you need to provide Google with a text password
  • 2nd step - You phone (optional) - Google uses different means (SMS, notifications, authenticator app) to enable your phone to uniquely identify you. On top of that it’s possible to use Security keys or keys generated by your password manager, but for simplicity we’ll use the phone example.

This approach combines something you know (password) with something you have (phone) to make it much harder for someone to impersonate you (e.g. by tricking you to enter a password into a fake log-in dialogue).

Turning on 2-Step Verification

First, you can relax. 2-Step Verification can be turned back off3

When you follow the steps in Google’s guide, you get asked which of the following options would you’d like to use:

  • Notifications (Prompts) to your Android phone
  • Security Key - USB stick-like device e.g. YubiKey
  • SMS and Phone calls

I choose notifications for convenience.

Then Google asks whether I’d like to use a backup number in case you lose my phone. But if I lose my phone my number is gone too since I always use prepaid. I chose to get backup codes instead. They are single-use codes that are more versatile than a phone number.

Tip 1: Store your backup keys in your password manager so if you don’t have your phone on you, you can still log in.

Account recovery: when you can’t prove it is you

You lost your phone and your dog ate your backup codes. Or you are having soap opera level amnesia and you don’t remember your password. How do you access your Google account?

Now you are going to end up with the dreaded Google Account Recovery.

The algorithm used by google to evaluate your identity is not openly known. Here are the things Google will want to know from you:

  1. What is the last password you remember?
  2. Do you still have access to your mobile devices?
  3. Your recovery phone
  4. Your recovery email
  5. Answer to your security question (deprecated)
  6. Request for providing additional details in writing (e.g. when you created your account, if you are travelling)

Now if you answer all of these sufficiently (and ideally from the same browser and IP address that you usually use), you are going to get a link to a page where you reset your password.

If you don’t answer these questions well enough, Google won’t grant you access to your account and it recommends that you forget about it and start a new one4.

We couldn’t be sure that you’re the owner. To keep accounts safe, we can’t give access to them if we can’t confirm who the owner is.

Tip 2: Keep your recovery information up to date5

The best way to prepare for his situation is to have all your recovery information up to date. I’m not sure how all these recovery options affect the security. It seems to me that if you provide too many ways how to reset your account’s password, it makes it easier for someone else to do it as well.

Prepare for the worst

The way I understand it, if you get to the “Account recovery” phase, you can’t be certain that you are going to get your account back. Most likely having your recovery email and phone up to date is going to be enough, but what if your IP looks really suspicious for some reason (trip to Thailand maybe)? One of my other Google accounts actually have been inactive for so long that Google doesn’t trust me when I enter the password and there’s no way to recover.

There is one more option for super paranoid people. Backup all your data. For all things I dislike about Google, they do give you a full access to your data. Visit Google Takeout to back up all your data locally (for me it is 2.8GB of email that I’m interested in). This approach brings its own risks. I’d strongly recommend encrypting the backup otherwise you have a big portion of your online life lying in a plaintext on your hard drive.

Conclusion

I hope this article helped you to understand what might happen if you forget/lose your credentials/phone. I feel much more confident about both the security of my account and how to recover it should the situation arise.