Google has rolled out new security features designed to make account recovery easier and more secure, including a novel “Recovery Contacts” system that lets users enlist trusted friends or family to help regain access if locked out. The update addresses a long-standing pain point for users: the often frustrating and lengthy process of recovering hacked or lost accounts.
New Recovery Options: Beyond Passwords
The core of the update is the Recovery Contacts feature, which functions similarly to the “Phone a Friend” lifeline on Who Wants to Be a Millionaire?. Users designate up to a limited number of trusted individuals who can verify their identity and grant access back to the account. This system isn’t a replacement for traditional methods like recovery emails or phone numbers, but an additional layer of security.
The process involves sending an invitation to the chosen contact, who must then accept. If the account is compromised, the user will see an option to request help from their contact, who will receive a verification prompt on their device. Once verified, the user can regain access and reset credentials. Google emphasizes that recovery contacts can’t unilaterally take over accounts, and safeguards include time delays and security notifications.
Addressing Privacy Concerns
While convenient, the Recovery Contacts feature raises privacy questions. Google now has more data on users’ social connections, which could be misused. The company insists this information will only be used for security purposes, but experts like CNET senior editor Lori Grunin point out that this expands Google’s web of associations between individuals.
“On one hand, Recovery Contacts is a really good idea,” Grunin said. “On the other hand, it helps Google build a web of associations among people that it might otherwise not have and that can potentially be misused.”
Beyond Friends: Phone Number Recovery and Message Protections
Google’s security overhaul extends beyond the Recovery Contacts feature. Users can now use their phone number as a recovery method, and the company is strengthening protections within Google Messages. A new link-vetting system will warn users if incoming links are flagged as spam, while the “Key Verifier” tool uses QR codes to authenticate contacts within the messaging app.
These measures are crucial because scammers frequently exploit text messages to trick victims. According to Lance Spitzner, director of SANS Workforce Cybersecurity Training, Google’s new link-vetting feature can block phishing attacks before they succeed.
Human Trust as a New Attack Surface
Security experts warn that any system relying on human trust is vulnerable to social engineering. Aaron Rose, security architect manager at Check Point Software, notes that malicious actors could manipulate trusted contacts to gain access.
“Any system that relies on human trust (like designating recovery contacts) can be socially engineered,” said Rose. “We’ve seen similar tactics used in business email compromise schemes, where emotional manipulation, not technology, is the point of entry.”
Google says it has built-in safeguards to prevent misuse, including limiting the number of recovery contacts and requiring multiple verifications. The company also stresses that it will never ask for personal information over the phone.
Ultimately, Google’s expanded security features represent a step forward in protecting user accounts, but they aren’t foolproof. The most effective defense remains a combination of strong passwords, two-factor authentication, and a healthy dose of skepticism.
