I normally use this weekly column to answer people’s technology-themed questions. This week, I’m taking a slight departure, because I think sharing a reader’s story is important—even though there’s not really much I, nor Google, can do in the case of her locked Google account. There’s a lot we can learn from her example, and a few items you should check to make sure this frustrating issue never happens to you.
Lifehacker reader Cathryn writes:
I stupidly forgot my Google account password back in November 2019, I had only just changed it. I asked them to email to text me a verification code, like I’d done so many times before, however I stupidly added the 2 step verification on my account.
The problem was I inputted an incorrect recovery email address, I missed 2 digits off my email. Therefore the 2 step verification wouldn’t work. Google locked my account, I also broke my mobile phone screen days later that I ended up buying a new handset but the same mobile phone number.
I only get asked 1 security question “what was your first phone number” I picked that question myself in the security settings a long time ago. Then I get asked to give them an email they can contact me on, then a few days later I receive an email stating they don’t have enough evidence so unfortunately they can’t open my account.
I never get asked any questions such as when was your account created. I’ve tried recovery options from my laptop, kindle ect that used the same gmail account plus it’s all from my home IP address.
I get it’s my fault for initially forgetting my password, but google security settings are flawed as when I put a recovery email they should send an automatic email confirmation to make sure it’s correct due to human error. I’ve lost lots of important document and 9 years of Google photos with some pictures of loved ones that I’ll never get back.
I present this reader story as a cautionary tale. First, whenever you’re dealing with two-factor authentication or any kind of account-recovery options—whether you’re inputting your email or phone number to set it up, or you’re copying down precious backup codes—it’s critical that you triple-check this information. That’s not because there’s no way to change it; you can obviously change details like your email address or phone number if you have access to your account. However, you’re less likely to this because most people assume that everything is on the up and up once they’ve set up their accounts. And if it isn’t, and you left a typo in a critical account recovery option, you’re going to have a mess of a time when you try to restore access.
Google makes this entire situation particularly frustrating because they, a giant search company that practically prints money, have no desire to set up a customer service centre that Google users can call whenever they have issues with Google’s services. Regular (free) Google users get a Help Centre and some community forums, but that’s it.
And while I’m a little snarky about this, I do see Google’s point of view. First off, most people aren’t paying Google a dime for the services they’re using. Yes, Google is doing everything it can to extract data from you so it can better target you with relevant advertising, but most people aren’t coughing up cash for the privilege of using Gmail, for example. You might pay Google a little per month for some extra storage, but that’s about it. Why dedicate a not-so-insignificant amount of resources to a service centre for free services?
Second, and more importantly, Google’s lack of one-to-one help for issues like account recovery is actually a security measure in itself. Consider the alternative: If someone sort-of knew your email address, phone number, and/or mailing address, in combination with some information they’ve pilfered from one of the many data breaches out there, would you want them to be able to convince a Google customer service representative that they are actually you?
Giving everyone the same, generic account recovery process, and letting nobody have access to any special favours or extra support, makes it harder to get into a locked account when you have unique issues, sure. It also makes it harder for others to get into your account. I’m not saying I’m a fan of this trade-off—because real people do have complex issues that need special help—but it does help limit an unscrupulous person’s ability to social engineering their way into your Google account.
This puts the burden on you to make sure that all of your recovery mechanisms for your Google account are accurate. Even if you’ve already set them up and are feeling pretty good about it, I recommend taking a quick few minutes to double-check. It never hurts, because you don’t want to deal with the alternative of not being able to access your account in the event of some major mess or security breach.
To get started, visit the Security section of your Google account settings. Scroll down a bit to the “Ways we can verify it’s you” list of questions and make sure your phone number, recovery email address, and security question are all accurate.
Next, scroll up a smidge and click on “2-Step Verification.” You’ll have to enter your password again. On the subsequent screen, make sure that you’ve turned on Google’s two-step verification to better protect your account. Assuming you have, scroll down a bit and click on “Show Codes” under the “Backup codes” section.
Copy. These. Codes. Down. To paraphrase Gandalf, keep them secret and safe; you’ll use them to log back into your account if, for whatever reason, you can’t access the device(s) you’ve set up for two-step verification.
Finally, go visit the Personal info section of your Google account settings and double-check that your actual contact information is correct: email(s) and phone number(s). While you’re here, you might as well also make sure you’ve entered your correct birthday, too.
And, of course, the best way to make sure you never forget your passwords to anything is to use a strong password manager. Even if it costs you a few bucks a month, it’s worth every penny. Not only does this make it easy to keep track of your passwords, but you can use stronger, more secure passwords that are very difficult to guess or brute-force. Also, a great password manager will let you know whenever your saved accounts are compromised in a data breach (which should be less of an issue if you’re using unique passwords for each service, but people can get a little lazy about this).
That’s my advice to everyone, and it applies to more than just Google. If a service is important to you, make sure you know the process of how you’ll get back into your account if you’re ever locked out. Then, check your data to make sure any errant typos won’t come back to haunt you, and make sure you’ve saved any backup codes or any other information you need in order to regain access to a lost or locked account. You’ll be glad you did now, if (or when) you have to deal with this later.
Do you have a tech question keeping you up at night? Tired of troubleshooting your Windows or Mac? Looking for advice on apps, browser extensions, or utilities to accomplish a particular task? Let us know! Tell us in the comments below or email [email protected].