AKA what not to do.
Not a day goes by that I don’t hear from someone who’s in the middle of an account recovery process that isn’t working.
While I try to help out to the degree that I can — usually with instructions that are often no more than the service provider’s instructions translated into clearer English — it’s also not at all uncommon for those account recovery efforts to fail and access to the account never be regained.
And to be super blunt about it, most of the time it’s the account owner’s own fault.
Become a Patron of Ask Leo! and go ad-free!
How to lose your account
Account recovery fails most often because recovery information like alternate email addresses and phone numbers were never configured or weren’t kept up to date. It’s important to set them and review them regularly to make sure they’ll be there if and when you need them.
The most common reason for failure
Almost every online service has provisions for recovering lost passwords or regaining access to accounts that are inaccessible to their rightful owners. Those account recovery processes typically involve sending an email to an alternate email address, a text message to a phone, or something else.
Those are great, reliable ways to prove you are the rightful owner of the account and should be allowed back in. Anything less would allow hackers to impersonate you or otherwise scam the system to break into accounts where they have no business being.
Many people don’t set up this recovery information, and those that do often don’t keep their information current.
Without it, there’s really no hope for recovery.
Alternate email addresses
These days, you shouldn’t have just a single email address.
You need at least two.
The first you consider as your real or primary address. The second you use as your “alternate” email address for that primary account. You’ll use it when you need to prove that you are you.
Like when you forget your password on the primary account… or when your account is hacked.
How do you prove you are you? By being able to access that alternate email account. Account recovery frequently involves sending a password-reset link, code, or some other information to that email address. When you collect the information and use it, you’ve proven you have access to that account. Since you’re the one who set it up as the alternate account, then you must be who you say you are, and thus you should be allowed back into the account.
Never set up an alternate email address? You can’t recover the account.
Lost access to the alternate email account? You can’t recover the account.
The conundrum of the phone
Many services allow you to associate a phone number with your account.
Unduly paranoid folks believe this amounts to more ways for the service in question to keep tabs on them.
I disagree strongly.
Phone numbers are another way to prove you are who you are. Rather than sending you email, services can send you a text message with a recovery code, or in some cases, a recorded voice that reads the recovery code to you. Your ability to receive a code at the phone number you provided proves you must be you and should be allowed back into the account.
The conundrum I allude to is twofold.
- Many services only support text messaging, and thus only mobile phones. You’ll need to use a different alternative authentication mechanism — like that alternate email account — if you don’t have a mobile phone.
- This may easily fail if you lose access to your account or are asked for additional validation while traveling outside your own country. Once again, make sure you have an alternate identification mechanism in place — like that alternate email address — before you leave.
I advise setting this up if you can.
Losing your account in one easy step
Pick whichever approach you like:
- Don’t set up authentication mechanisms like alternate email addresses or phone numbers at all,
- Let your alternate authentication mechanisms expire or change without updating the account for which they’re the alternate mechanism.
Either works. You’ll lose access to your primary account forever if you ever get hacked or lose your password.
To avoid losing access to important accounts, I strongly recommend you:
- Set up an alternate authentication mechanism on your important accounts.
- If you already have, make sure they’re all still valid.
I also recommend that you take advantage of all the alternate mechanisms offered.
- Set up an alternate email address and keep that alternate email address active.
- Set up more than one alternate email address if you can.
- Associate a mobile phone number with the account.
- If you don’t have a mobile and the service will do voice calls (reading you a recovery code), then associate a landline number with the account.
And above all, any time any of the above changes, make absolutely certain to update the information in your accounts. Alternate email addresses or phone numbers do you no good if you no longer have access to them.
Want another way to stay on top of current security options? Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.