Getting locked out of your Google account is more than an annoyance, it can be a major headache. You can lose hours in endless recovery loops, and still end up nowhere. Now, Google says it’s found a simpler fix: you can call a friend for help.
As CNET reports, Google’s new Recovery Contacts feature lets you nominate a trusted friend to verify your identity if you get locked out.
Setup is simple: choose your most reliable ally (a partner, sibling, or friend) and send them an invite through your Google Account’s Security settings. Once they accept, they’ll be your backup lifeline. If you’re ever locked out, they’ll receive a prompt to confirm it’s really you.
The move sounds like a win for convenience. But, as CNET senior editor Lori Grunin noted, it comes with a trade-off: “It helps Google build a web of associations among people that it might otherwise not have, and that can potentially be misused.”
Security experts share mixed feelings. Aaron Rose, Office of the CTO at Check Point Software, says: “These types of features can create a sense of safety that isn’t always justified. If users believe Google’s new warnings and recovery methods will catch everything, they may let their guard down against more subtle or AI-generated scams. Deepfake voice or video phishing can easily outsmart even the savviest users. True security comes from combining these built-in protections with continuous education and awareness – the human layer is still our weakest link & cannot be overlooked.
Rose adds that although Google’s new recovery features are well-intentioned, they also introduce a fresh attack surface if not carefully managed. “Any system that relies on human trust (like designating recovery contacts) can be socially engineered. Attackers could manipulate or impersonate a trusted contact to gain account access. We’ve seen similar tactics used in business email compromise schemes, where emotional manipulation, not technology, is the point of entry.”
“Using a phone number or previous device as a primary recovery mechanism is convenient, but it comes with inherent risks,” he continues. “SIM swap attacks and mobile malware continue to rise, and tying account recovery too closely to a single device or number could give attackers a foothold if that endpoint is compromised. Attackers are becoming increasingly skilled at exploiting convenience features, so it’s critical that such recovery tools include strong multi-factor verification and anomaly detection behind the scenes.”
Recovery Contacts is one of several updates rolling out this week. Others include account recovery via phone number (where Google asks for your previous device’s PIN or pattern) and stronger protections in Google Messages.
Among these, a new link-vetting tool flags suspicious URLs in text messages before you click. Lance Spitzner from SANS Institute called it “a strong move in the right direction,” though he reminded users that vigilance still matters more than any feature toggle.
Google also launched Key Verifier, a QR-based identity check inside Google Messages, and a new awareness game called Be Scam Ready, designed to teach users how to spot scams before falling for them.
Smart moves, all told, but as ever, safety online still depends less on software and more on the people using it.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.