Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

19 comments on “Please Set Up and Maintain Account Recovery Information”

  1. This is another scenario where a password manager comes in handy. I currently use Bitwarden and have used LastPass before that.
    Both allow notes to be attached to the pass cards for each account for answers to secret questions and recovery codes. In the event that one needs that information, it will be readily available.
    Some of the answers to my secret questions are so ridiculous, there is no way I can remember them.
    Having had to assist another person after he got locked out of his computer after too many failed attempts to login using his Microsoft account and what it took to do so (resulting in a 30 day waiting period), I made sure that account recovery methods for everyone in the household was setup and available if and when the situation arises again.

  2. What if you forget the password to the password manager? I use a long password I can easily remember and 2FA to login to my Google account and I store all my passwords in the Google account, I don’t think I need another password manager. I trust Google, their services works for me. Therefore I have several ways to reset my Google account configured.
    When logging in to my Google account on a new device I have two updated smartphones and two Yubikeys I can use as rhe second login factor.

  3. My low-income self has attempted to rely on government-supported Lifeline phones that merely require a minimum of one telephone call per month to keep your account active. HOWEVER, the private firm providing my first Lifeline phone purportedly went out of business and the FCC number portability regulation either had not been established or was poorly enforced by the FCC, because I repeated and alternative efforts to transfer that phone number to my new Lifeline carrier failed. Since then, said new Lifeline carrier failed to replace my malfunctioning phone in July (2022) as it claimed that it would, I was thus unable to make a phone call within that 30-day period, I still do not have a replacement phone, and I fear I might not be able to rely on the FCC again to enforce my phone number’s portability once I get around to get the phone replaced. It has now been over four months without a phone, one return receipt requested snail mail to Assurance Wireless (my most recent Lifeline carrier), and both snail mail and email to both Senators for my State (Illinois) and my U.S. House Rep. (Mike Quigley) alerting them to the FCC number portability issue. That I never trusted these Lifeline phones and enforcement of telephone number portability under FCC regulations at least kept me from relying on 2FA, so I can still (albeit less securely) get into my online accounts (until I can’t, which hasn’t happened yet (knock on wood)). WE NEED TO BE ABLE TO HAVE OUR PHONE NUMBERS RECOGNIZED SIMILARLY TO OUR SOCIAL SECURITY NUMBERS, SO THAT LOSING A PHONE OR ITS ACCOUNT WITH A CARRIER WILL NOT CAUSE LOSS OF YOUR PHONE-NUMBER IDENTITY IF YOU WANT TO DEPEND UPON (KEEP) IT.

  4. Can you afford to buy a yubikey or two? You can find it here
    You can use this as a the second factor when you login.
    With 2FA its safe to use a simple password you wont forget. My wife and I use rhe same Yubikeys on our Google accounts so other family members can use the same keys as the aecond factor very convenient and recommended by US Department of Defence.

    • I have one. It’s the most secure alternative, but it’s also the most inconvenient if you rely on it alone. While most of us with smartphones tend to carry them with us at all times, the YubiKey is something else we need to remember to have as well. Highly recommended for those situations requiring significant extra security (corporate, government, health, etc. scenarios) but probably overkill for personal use.

  5. One of my Yubikeys works with NFC and I use it with my Android phone. I just have to hold it to the back of my phone to provide authentication. That Yubikey is kept on my key ring with my car key and house key.
    I don’t do much on my phone, but having that capability can be useful at times.

  6. Leo,

    How do you deal with what you might call a Catch-22 situation. Gmail will not allow security changes without verification through the mobile phone, so if a number is changed or a phone is lost, it is impossible to update the new information without going through the same phone which is already lost.

    Also you mentioned that Verification is though the number and not the phone. This doesn’t seem to be the case, as my 2 Step Verification pops up on the named phone rather than a direct SMS message to my number.

    • When you setup and maintain account recovery information you can typically include more than one alternative — a SMS number, an email address, and so on — so you can choose which one to use if the default one no longer applies.

  7. If you use the encrypted mail service Protonmail, in addition to a recovery email address and phone number, be sure to also set up both a data recovery phrase and file immediately! And put them somewhere safe.

    I lost all prior mail (fortunately nothing important) when I was reset my password with them via the recovery email BUT… I didn’t have the other data recovery information so all previous email messages disappeared. Poof!

    They call what I did (using recovery email and/or phone number) “Account recovery” but to do “Data recovery” you need either (1) a recovery phrase or (2) a recovery file.

    A particularly arrogant client insisted on using Protonmail but had not set up the “Data recovery” items. Her previous “IT guy” got her on Protonmail. She “knew” everything and she would not listen to me about this.

    Naturally she lost track of the password and… therefore ALL of her mail history.

    There was no way that I was responsible for this but I fired the client at that point for that and many other reasons.

  8. I still like secret phrases the best, as I put them into LastPass and can be easily auto-entered. 2-factors take longer, and if it is used my Authy app, then I can’t even copy and paste since the Authy app is on my phone.

    • Read the article again. It tells exactly what to do. The recovery information isn’t something you store. It’s an email account you associate with your account for recovery. Maintaining it means keeping those recovery email current and making sure you can access them. The exception to this is which allows you to create a Recovery Code which you can store anywhere you consider safe. I keep mine encrypted in OneDrive and copies in my computer backups.

      This Recovery Code is useful even if you don’t use your account for email management. Supported versions of Windows require a Microsoft account to get access to certain features such as OneDSrive.


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.