A new security feature in Gmail will let users restore access to their accounts with help from friends or family. Trusted Contacts (Recovery Contacts) can be used to receive recovery codes in cases where other methods are unavailable.
Each user will be able to specify up to 10 trusted contacts for a single account, and can themselves serve as such a trusted contact for 25 other accounts.
Lately, Google and other major industry players have been actively encouraging people to use passkeys, which are seen as a replacement for traditional passwords. Many believe that the future of authentication lies in this technology.
However, the problem is that people regularly lose their devices. And if a user loses their smartphone, they can’t promptly access other email accounts and SMS messages with one-time codes, which can potentially lock them out of their email.
“Passkeys are a big step toward a passwordless future,” Google writes. “Trusted contacts for recovery offer another reliable and secure option (in addition to existing tools), helping to restore access to an account when other methods don’t work. We understand that losing access to an account is stressful, and we continue to work on new solutions to make recovery more reliable while maintaining Google’s high standards of privacy and security.”
Engineers at the company report that users can now designate trusted contacts for account recovery, who will help restore access to the account. The trusted contact will receive a notification asking them to assist with recovery and will confirm that the request is genuine using a code provided by the user.
The verification will be based on matching numeric codes. A trusted contact will be shown three codes and will need to choose the one provided by the user.
Google notes that trusted contacts should have a solid understanding of cybersecurity. The company also recommends choosing people who can respond within 15 minutes of sending the request. The reason is that after 15 minutes the request expires, and the user will have to either resend the code to the same contact or choose someone else.
There’s a risk that the account recovery via trusted contacts feature could be abused by attackers using social engineering, especially if the contact isn’t careful enough to recognize the scam.
For example, an attacker can initiate the account recovery process and relay the recovery code to a trusted contact via an unknown phone number that supposedly belongs to the victim’s friend, or by spoofing an email address. If the trusted contact falls for the scam, the account can be taken over.
To prevent such attacks, Google will employ additional checks. It is reported that, before approving a request, in order to determine the legitimacy of the initiated recovery attempt, the company analyzes device history, location, and IP address, and may also request additional verification.
It is also emphasized that even if a trusted contact approves the request, the account may still be locked for a security review, giving the legitimate owner additional time to confirm the legitimacy of the recovery attempt.
The new feature is unavailable for corporate Google Workspace accounts. Although Google doesn’t mention this in its press release, accounts enrolled in the Advanced Protection Program and Google Workspace accounts cannot set trusted contacts for recovery, but they can be used to recover other accounts.
You also can’t use a child’s account for recovery, and children won’t be able to add trusted contacts.