Do not lose access to your email account
dpa/picture alliance via Getty Images
Updated, Oct. 20 with a new device “not secure” warning for Gmail users and key recommendations for ensuring user accounts are secured.
Google has warned Gmail users to secure their accounts, adding passkeys and changing weak passwords. It has also warned that hackers are gaining access to those accounts using stolen credentials. The alarming increase in two-factor authentication bypasses makes this worse. No users should still rely on SMS for security.
Now Google has issued a new warning for users who lose their phone completely — either because it’s genuinely lost or broken, or more likely nowadays, because it’s stolen. The plague of phone thefts now affects most major cities worldwide.
“We understand phones get lost, stolen or broken,” Google says, “and don’t want to add losing access to your Google Account to the headache.” That’s why the tech giant has just confirmed that users “can now regain access with your mobile number.”
This new option is called “Sign in with Mobile Number” and “makes recovery on a new Android device easier.” The security update “automatically identifies your accounts using your phone number. All you need is the lock-screen passcode from your previous device for verification, no password needed.”
While this affects all your Google accounts, Gmail is the one prized above all. It provides access to account recovery and sign-in options for other platforms, contains a raft of personal information, and is often your unique online identifier. “We are introducing this gradually worldwide,” Google says. “Watch for it on a phone near you.”
Google has also introduced a “Recovery Contacts” option, which it says “allows you to designate trusted friends or family members as Recovery Contacts. If you’re locked out due to a forgotten password, lost passkey device, or account compromise, these contacts can help verify your identity, providing a simple and secure way to regain access.”
Do not lose access to your account.
While the mobile number recovery option is good, this contact option is fraught with risk. It is an open invitation for socially engineered attacks to trick users into designating fake recovery contacts as part of a wider attack. Unlike the mobile number system, which relies on a technical flag, this is entirely manual with no checks in place.
If you want to take the risk, Google says you’ll find Recovery Contacts under Security in your Google Account, which has been newly redesigned to make managing your personal information easier.” My advice is to think carefully before you do so.
Meanwhile, a timely warning on a Reddit Gmail thread should serve as a reminder as to the very real threat users face from getting locked out of their accounts. The dreaded realization when you find yourself logged out, unsure whether this is a hack, a technical bug or simply an update. For. most users, it’s likely impossible to tell. In this case, it was a popup warning the user: “Your device is not secure.” Something to watch for.
Advice on the thread includes warnings that it’s likely a credential infostealer, perhaps even one stealing session cookies. In reality, what you do is easy and you should take that action now before it’s too late. Google had warned that most users are yet to add passkeys to their accounts or even add two-factor authentication (2FA). Do both now.
Adding a passkey protects you against almost all attacks, linking your account security to your hardware. When it comes to 2FA, you need this anyway. Google doesn’t yet let you delete passwords in the same way as Microsoft. That means passwords continue to provide access to accounts, in your hands or someone else’s.
It should be a comfort that most of the security hacks highlighted on Reddit and elsewhere are easily defended against. A few simple steps — minutes in total — will ensure your account remains your own. And while this won’t stop someone stealing your phone — or you losing your phone, it will ensure your email remains your own.
