Details Of Google Account Recovery Process and Security Concerns

news

#1

Account Recovery Walk-Through

During the course of 2016 Google made significant changes to the process of account recovery. In general it was simplified to a more generic process covering several specific cases. This means that any recovery process you may have used in the past is probably different now, so don't be surprised.

Additional sources of information include the Gmail Help Center and the GMail Help Forums, both of which support searching for topics of interest.

Lost Password Recovery

The recover process can be started in either of two ways:

Go to the Gmail sign in page at https://mail.google.com/ and after entering your e-mail address click the "Forgot password? link.
Go directly to the start of the recovery process at https://accounts.google.com/sign...
You should see an "Account support" page where you can enter your e-mail address and click next to start the process. There is also a "Find my account" link if you don't remember your e-mail address (discussed below).

You will then be presented with a number of possible ways to regain access to your account or attempt to prove you own it. The options available are dictated by what recovery options were previously configured on the account. For example, if no recovery e-mail address was configured, that option will not be shown. If options were configured but not kept up-to-date, they will be shown but may be useless for recovery. In the case of a compromised account, the options may be shown, but if they were modified by the hacker they will be useless for recovery.

If the lost account has 2-step verification enabled (https://gmail.googleblog.com/201...) the process will be a little different as discussed below. This will also be true if the account was compromised and the hacker enabled 2-step verification to make it harder to recover the account.

The recovery options available may include any of the following questions or actions, and possibly others not listed or pictured below:

Enter the last password you remember
Get a verification code by text or phone call at (it doesn't always offer both options)
Confirm the phone number you provided in our security settings
Google will send an e-mail containing a one time verification code to
Get a prompt on your and tap Yes to sign in
Answer the security question you added to your account
When did you create this Google account?
If you can, briefly tell us why you can't access your account
The majority of the options are based on pre-configured information setup in the account prior to losing access. So if an option (like a recovery e-mail address) was never configured that option will not be offered. If you do have a pre-configured e-mail or phone number and select that option, you will be sent a six-digit code to enter. Entering the correct code may take you to a page to reset the password. Answering enough of the other questions correctly might also take you directly to that page.

It's also possible that even with a pre-configured phone number or e-mail, and after receiving a code, the process may ask you additional questions. This can happen when Google has noted suspicious activity on the account and needs additional proof of ownership before returning the account.

If you can't use or answer a given option, click the "Try a different question" link for the next option. Of course if you skip too many of the questions you will not be able to prove ownership of the account. If you aren't given the option to reset the password, the last question will typically ask for a contact address where Google can e-mail you.

Like above, a six-digit code will be sent to that address which you will then enter. But unlike above, receiving this code does not mean you will be allowed to reset the password. This step is to verify that you have a valid, working e-mail account that you can access. The answers you provided on the previous pages will determine if you are given the option to reset the password, or if your request is denied. The message attempts to be clear that the contact email was verified, but that ownership of the account has not been proven (verified).

If you can't use any of the options or fail to prove ownership of the account, you then will receive a message that "Google couldn't verify this account belongs to you". You can of course try again if you have additional or more accurate information to provide, but if you can't prove ownership of the account, it is lost. There are no other ways to recover a lost account.

Lost Account Name

If you clicked the "Find my account" link on the first page you will be directed to a series of steps were you will provide: a previously configured e-mail or phone, the real name on the account, and a verification code. If you are successful, you will the receive a list of accounts that match that information and you can proceed to sign in. You must know both the e-mail/phone and the name on the account. If you also don't know the account password, then you will use the above process to attempt to recover it.

Accounts With 2-Step Verification Enabled

Two-step verification adds an extra level of protection to accounts by requiring a second action or code in addition to the password to sign into an account. As such, recovery for an account with 2-step verification enabled is a bit more strict. This can work against the owner if the account has been compromised and 2-step enabled by the hacker.

When 2-step verification is enabled you will see a third screen after providing your account name and password were you need to provide the 2-step verification code via the default method you have configured on the account. If you are unable to provide the 2-step response, the page has a "Try another way to sign in" link. It will then list all the options previously configured for the account (this list could be very short if no backup options were configured). Clicking the last "Ask Google for help..." box leads to another screen listing all the options again along with a few more.

Yes, the above account does have a lot of 2-step verification options configured as I have no intention of getting locked out of my own account.

At the very bottom of the second screen is a link to "Request Google's help". At this point you will be in the regular account recover process although there may be additional questions available based on options you had configured on your account. For example:

If insufficient proof of ownership was provided the "Google couldn't verify.." message will be displayed similar to the standard recover process above. If sufficient information was provided for Google to investigate further the "Thanks! We're on it." message will be displayed.

When Google concludes it's investigation, which can take 3-5 business days (a week real-time), you will be notified at the contact address you provided.

If your request is denied the only option is to repeat the process providing more answers to the questions, or more accurate answers than provided previously. Simply repeating the process with the same answers will not help. You must provide more proof of ownership or Google will not return the account.

G Suite accounts

G Suite (formerly Google Apps) accounts are those not ending in @Gmail and can not be recovered using the standard Gmail recovery procedures. One must contact the Google Apps administrator for the domain who can reset the password allowing you to regain access.

Additional Recovery Hints and Tips

This section contains information and hints that can greatly improve your chances for a successful account recovery. This section is long and doesn't have any pictures, but it's probably a good idea to read it very carefully.

The account recovery process is composed of a set of factors that Google uses to determine the legitimate owner of an account. Some you have limited control over, and some you do not. But understanding them is important to getting through the process successfully.

Factors you can control before the account is lost - presumably you're reading this article because you've already lost access to an account, so it's a little late for these items. Still, keeping these in mind for the recovered account and any other accounts you have may prevent you from needing to visit this article again in the future.

Account password - write it down and keep it someplace safe. Everyone thinks they'll remember their password, but many are wrong. If you keep records of your password a lost account is easily fixed by just looking it up.

Recovery options - configure the options available (e-mail and phone) for all your accounts. And most importantly, keep them up-to-date. https://support.google.com/accou...

Creation date - one of the current questions in account recovery is when the account was created. Simply printing or forwarding one of the original "welcome to Gmail" messages to another account for safe-keeping gives you a way to always look it up.

Account Security
Settings that improve the security of the account as well as make it easier to recovery a lost account.

Please note that the path used below (Settings -> Accounts and Import -> Change account settings -> Other Google Account settings [new page]) to get to account settings can be accessed directly by using the direct link to account settings: https://myaccount.google.com

Settings -> Accounts and Import -> Change account settings -> Change password
Pick a new secure password.
Direct link: https://myaccount.google.com/sec...
Settings -> Accounts and Import -> Change account settings -> Change password recovery options
Verify mobile phone number, recovery e-mail address, and secret question/answer (if available).
Direct link: https://accounts.google.com/b/0/...
Settings -> Accounts and Import -> Change account settings -> Other Google Account settings [new page] Personal info & privacy -> Your personal info
Verify your name and other settings.
Direct link: https://myaccount.google.com/pri...
Settings -> Accounts and Import -> Change account settings -> Other Google Account settings [new page] Sign in & security -> Connected sites & apps -> Apps connected to your account -> MANAGE APPS
Revoke Access to any sites listed that aren't recognized or absolutely needed.
Direct link: https://security.google.com/sett...
Settings -> Accounts and Import -> Change account settings -> Other Google Account settings [new page] Sign in & security -> Signing into Google -> 2-step verification
For additional account security, enable 2-step verification, and be sure to save a set of backup codes as instructed during setup.
Direct link: https://accounts.google.com/b/0/...
Now that your account is secure, check again for other sessions logged in. If there is still another session on the account, repeat the above until you successfully get everything secured while no one else is logged in. Now that the account is fully secured and you've verified no one else is logged in, you may want to change the password one last time.

And don't forget the Gmail Security Checklist and Account Security Checkupmentioned above.

Additional Information

https://dinfogen.quora.com/Step-wise-Process-of-Gmail-Account-Recovery-and-Security