They can be critical, and critical to get right
With few exceptions, your recovery email address should be an email address you control.
Let’s look at not only those exceptions, but some additional characteristics of a recovery email address you’ll want to be aware of to keep all your accounts safe and secure.
Become a Patron of Ask Leo! and go ad-free!
A recovery email address is used to regain access to an account you’re unable to sign in to. Generally it should be an account under your control, and on a different email service. What’s most important, though, is that you periodically make sure it’s working rather than finding out it’s not when you need it most.
Recovery email address
Your recovery email address, sometimes called an “alternate” address, is an additional email address you list in your account settings, often in security settings. It is used when you are unable to sign in normally to “recover” access by setting a new password.
Let’s say your primary email account is email@example.com. As part of its configuration, you specify a different email address — say, firstname.lastname@example.org — as your recovery email address.
One day, you can’t log in to your primary somerandomservice.com account. Perhaps you forgot your password, or perhaps your account was compromised. You click on the “I forgot my password” link, and somerandomservice.com sends an email to your alternate email address: email@example.com. You prove you got it by clicking a link in that email or by entering a code from that email.
This proves you’re the person who configured it as the recovery email in the first place: the account owner. With that proof, somerandomservice.com lets you set a new password, and you recover access to the account.
The recovery email address (like the similarly used recovery telephone number) is important. If you lose access to it, and you’re unable to log in to the primary account for which it was configured as the recovery address, you may lose access to that primary account forever.
Should it be yours or a friend’s?
I generally recommend recovery email addresses be your own. That way, you’re in control of exactly how they’re used and when.
Besides, it’s not uncommon for someone who is a trusted friend today to be less so in the future. For example, I’ve seen many accounts compromised when relationships (including marriages) end, and one partner decides to extract some sort of revenge via their access to the other’s email.
That being said, there are scenarios where it makes sense for an alternate email address to be someone else’s. This might be required in a corporate setting, or perhaps a very trusted acquaintance who helps you with your technology. If you do elect to use a friend’s email account for your recovery address, be sure to remember to change it should your relationship change.
In my case, I have my own alternate email addresses set up as addresses I control. My wife’s accounts, on the other hand, generally have one of my emails as the recovery email.1
Choosing a recovery email address
A recovery email address should be on a different email service. For example, I wouldn’t recommend setting up a Gmail address as your recovery address for your primary Gmail account. In theory that should work, but there are scenarios where both could fail at the same time. It’s better to have the recovery address be on a different service — perhaps Outlook.com, Yahoo.com, or something else.
You might never need to use your recovery address, but it’s important you keep it active. Sign in to it every so often so it isn’t closed for lack of use. If that happens, and you suddenly need it, you’re probably severely out of luck.
Some folks use a “throw away” account as their recovery email address — one they use to sign up for things they suspect might get them more spam or otherwise invade their inboxes. That’s fine, as long as you never actually throw it away.
Your recovery email address is, of course, an account all to itself. It, too, will probably include the ability to specify an alternate email address in case you ever need to regain access to it.
It’s perfectly valid to cross-link them: set A to be the recovery address for B, and B to be the recovery address for A.
If you’re in the process of recovering account A, and suddenly realize you’ve also forgotten the password to B because you haven’t used it in ages, you’re once again out of luck. You’re unable to use either account to prove you’re the rightful owner of the other.
This might lead you to think you need to create a third account to be the recovery account for B. That’s one solution, I suppose.
In reality, it underscores the need to periodically make sure your access to B is working, before you actually need it.
Footnotes & References
1: Apparently, after 40 years of marriage, I’ve proven trustworthy. So far.