Don’t lose access to your email account
dpa/picture alliance via Getty Images
Updated, October 20 with a new “unsecured” device warning for Gmail users and key recommendations for keeping user accounts secure.
Google has warned Gmail users to protect their accounts by adding passwords and changing weak passwords. It has also warned that hackers gain access to these accounts using stolen credentials. The alarming rise in two-factor authentication bypasses makes it worse. No user should rely on SMS for security.
Now Google has issued a new warning for users who lose their phone altogether — either because it’s actually lost or broken, or more likely these days, because it’s been stolen. THE scourge of stolen phones it now affects most major cities worldwide.
“We understand that phones get lost, stolen or broken,” Google says, “and we don’t want to add losing access to your Google Account to the headache.” That’s why the tech giant just confirmed that users “can now regain access with your mobile number”.
This new option is called “Connect with mobile number” and “makes it easier to recover on a new Android device.” The security update “automatically recognizes your accounts using your phone number. All you need is the lock screen passcode from your previous device for verification, no passcode required.”
While this affects all of your Google accounts, Gmail is the one that gets awarded above all. It provides access to account recovery and login options for other platforms, contains a range of personal information and is often your only online identifier. “We’re gradually rolling it out around the world,” Google says. “Look out for it on a phone near you.”
Google also introduced a “Recovery Contacts” option, which it says “allows you to designate trusted friends or family members as Recovery Contacts. If you’re locked out due to a forgotten password, lost passkey, or account breach, these contacts can help verify your identity, providing a simple and secure way to regain access.”
Don’t lose access to your account.
While the mobile number recovery option is good, this communication option is fraught with risks. It’s an open invitation for socially engineered attacks to trick users into setting fake recovery contacts as part of a larger attack. Unlike the mobile number system, which is based on a technical flag, this is entirely manual with no controls.
If you want to take a chance, Google says you’ll find Recovery Contacts in the Security section of your Google Account, which has been recently redesigned to make it easier to manage your personal information.” My advice is to think carefully before you do.
Meanwhile, early warning for a Reddit The Gmail thread should serve as a reminder of the very real threat users face from having their accounts locked. The scary realization when you log out, you’re not sure if it’s a hack, a glitch, or just an update. For. to most users, it’s likely impossible to tell. In this case, it was a pop-up warning the user: “Your device is not secure.” Something to watch out for.
Thread tips include warnings that this is likely a credential stealer, maybe even a session cookie stealer. In fact, what you are doing is easy and you should do it now before it is too late. Google had warned that most users have yet to add passwords to their accounts or even two-factor authentication (2FA). Do both now.
Adding a passkey protects you from almost all attacks by tying your account security to your hardware. When it comes to 2FA, you need it anyway. Google doesn’t yet let you delete passwords the same way Microsoft does. This means passwords continue to provide access to accounts, in your hands or someone else’s.
It should be a comfort that most of the security hacks highlighted on Reddit and elsewhere can be easily protected. A few simple steps — minutes in total — will ensure your account stays yours. And while that won’t stop someone from stealing your phone — or you losing your phone will ensure your email remains yours.
