Without it, you risk losing your account forever.
It might be as important as backing up. It’s certainly close.
The number of people I hear from desperately trying to regain access to their accounts would surprise you.
The number of people who’ll never regain access would surprise you more. I see it at least daily.
It doesn’t have to be that way!
Become a Patron of Ask Leo! and go ad-free!
Set up recovery info
Recovery information is crucial to regaining access to your account if you can’t sign in for any reason. Make sure not only to set it up, but keep it up to date. I see many accounts permanently lost because recovery information was either out of date or never set up at all.
Recovery information has one purpose
You know you are who you say you are.
If you lose your password, all indications are that you are not who you say you are. If you were the rightful account holder, after all, you would know the password.
I know, I know! That’s not the case if someone has hacked you or you lost that little green notebook with all your passwords scrawled in it. But the service has no way of knowing that. Your username/password combo1 is how you prove to them you are who you are.
What most services do realize, though, is that people are people. Sometimes we forget our password. Sometimes our accounts are hacked.
Recovery information is an alternate means for you to prove you are who you say you are and should be given access to the account.
You must set up recovery information before you need it
The reason recovery information works is because you set it up while you have access to your account. It’s information you add to the account in case of future problems.
Hopefully, you’ll never need to use it. But you must set it up, just in case.
If you never set it up, then should your password ever stop working, you’ll have no way to prove you are authorized to access the account.
You must keep recovery information up to date
Honestly, most people facing account loss due to failed recovery attempts did set up recovery information when they set up their accounts. That’s good, but it’s not enough.
Many of these accounts are years old (and that’s one reason you care so much about it). The recovery information you might have configured back then falls out of date. Maybe your recovery phone number is no longer in use, or your recovery email address has long since disappeared, for example.
Out-of-date recovery information is just as bad as not having it at all. It might even be worse if it gives you a false sense of security.
You must keep it up to date. Check it periodically (some services now occasionally prompt you to do this), and/or proactively update it when something changes.
Type of recovery information
These are the kinds of things we’re talking about here.
Alternate email addresses. Make sure you still have access to the email account to which the recovery code will be sent. If you do not, recover that account or configure a different one.
Mobile phone number. Contrary to conspiracy-minded folks, this is not used to gather more tracking data on you. (The mobile services already have plenty.) Make sure that any mobile number configured in your account is a number at which you can currently receive a text message. If you change numbers, make sure to change your recovery information. If you lose your mobile, replace it quickly and have your phone number ported to the new device; text messages are tied to your mobile number, not a specific device.
Landline phone number. This is less common, but some services allow you to use a landline and call you with a recorded confirmation code in case of recovery. Like a mobile number, if your landline number ever changes, make sure to change it in your account recovery information.
Recovery codes. This is also less common, but doesn’t suffer from issues relating to change. Some services let you generate one or more “recovery codes” — random numbers that, in the event of password failure, can be used once to sign in to your account. The issue here is that you must create and save them somewhere secure so they’re available when needed.
Secret questions. Some services still use them, but they should not. It’s been shown that they’re often guessable and significantly less secure. If you have a choice, use one of the alternatives above. If you have no choice, make sure you do not forget the answers to the questions you choose.2
Set up account recovery information and keep it up to date.
You run the very real and serious risk of losing access to the account if you do not.
For other ideas on staying safe, reducing risk, and using your technology with more confidence, subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Footnotes & References
1: Plus your second factor, if you have that configured.
2: I used to be surprised at how often people forget their answers, but it makes an odd kind of sense. When setting up the account, they don’t want to answer the questions or want to answer them extra-securely, so they enter nonsense. Later, when the account is important enough to need recovery, they can’t remember the nonsense answers.