Forgetting a password or losing a device often spirals into a frustrating battle with account recovery forms—a vulnerability Google aims to eliminate. In a significant security update, the tech giant has introduced Recovery Contacts, enabling users to designate up to 10 trusted friends or family members as lifelines during lockouts. If access is blocked due to a forgotten password, lost passkey device, or even a compromise, these contacts can verify your identity via a one-time code shared over a phone call. As Google emphasizes, contacts gain no access to personal data, preserving privacy while streamlining recovery.

Article illustration 1

Setting up Recovery Contacts is straightforward: navigate to Security in your Google Account, select Recovery contacts, and send requests via email. Once accepted, the system activates—no special apps required. Notably, this excludes child accounts, Google Workspace users, and those in the Advanced Protection Program, though they can serve as contacts for others. This feature tackles a critical pain point: 74% of users reuse passwords across accounts, making centralized recovery essential against credential-stuffing attacks.

Simultaneously, Google unveiled Sign in with Mobile Number, a frictionless method for accessing your account on a new Android device. If your phone is lost or broken, entering your number and the previous device’s lock-screen passcode bypasses traditional authentication. This leverages device-bound credentials, reducing dependency on fallible passwords or SMS codes vulnerable to interception. As cybercriminals deploy AI-driven voice cloning and deepfakes, such innovations prioritize accessibility without sacrificing security.

Article illustration 2

Complementing these updates, Google Messages now automatically flags suspected spam, blocking malicious links by default. Users can override false positives by marking messages as "not spam." Additionally, the Key Verifier tool—available on Android 10+ devices—uses QR code scans between contacts to establish end-to-end encryption keys, ensuring private conversations resist man-in-the-middle attacks. As Google stated:

"Today, people routinely encounter elaborate phishing attempts with voice cloning and deepfakes. We’re rolling out features designed to help you avoid scams altogether."

These advancements reflect a broader industry pivot toward multi-layered, user-centric security. Recovery Contacts, for instance, echoes social recovery models in crypto wallets, while phone-based sign-in aligns with FIDO2 passkey standards. For developers, this signals Google’s investment in reducing account support burdens and mitigating credential theft. Yet, it introduces new considerations: selecting trustworthy contacts demands careful judgment, and phone-number reliance could be exploited via SIM-swapping if not paired with robust carrier protocols.

In a landscape where phishing scams cost businesses $4.76 million annually per incident, Google’s approach merges human trust with technical safeguards—proving that the future of security isn’t just about complexity, but intelligently bridging convenience and resilience.

Source: ZDNET