5

Google lets you add a recovery phone number to your account because:

Your recovery phone is used to reach you in case we detect unusual activity in your account or you accidentally get locked out.

Thing is, I'm not sure what scenarios they have in mind, but I don't see how I could "accidentally" lock myself out or forget this account's password. It's my main account; I use it on a daily basis. And as for "unusual activity", Google only seems to send a warning after someone has logged in, not before. But if someone hacks my account and log in to it, then it's going to take them 10 more seconds to remove the recovery phone, so by the time I even realize what happened, my phone is going to be useless.

So my question is, if I'm following "proper" security practices (i.e. my passwords are strong, I'm using a password manager and 2FA, etc.), then should I really ever have this enabled?
The benefits seem to be minimal if any, and the downsides comparatively enormous (e.g. if someone steals my phone, that person is going to have another channel for attacking my Google account).

user541686
  • 2,502
  • 2
  • 21
  • 28
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/52678/discussion-on-question-by-mehrdad-does-google-accounts-recovery-phone-have-an). – Rory Alsop Jan 29 '17 at 11:50

2 Answers2

1

Remember that your google account is not only your email. It is everything linked to your google account, form mobile devices, to various applications you are using.

So, you could get locked out due to some app or add-on misbehaving. like Receiving, deleting, or downloading large amount of messages in a short period of time. Or simultaneously logged in/sync synchronizing Gmail on many devices and/or clients and/or locations.

I would say most possible scenario for your case is mis-typing your password in an application that would keep trying to login (particularly if you are in the middle of developing this app) for example.

A second possibility is if you have just changed your password with a new clever one that made sense at the time but next morning you are not sure if it has a “.” or “_” in it or none at all. Even though you use your account all the time I assume you are like the rest of us: you do not logout of your account every time you use it and you do not really type in your password all the time.

Now that I addressed the scenarios part of your question, allow me to address the bigger picture here:

You are looking at the problem backwards: your phone is the most important, physical authentication item in your life. If it is lost or stolen AND you didn’t have it locked/password protected then the person who has your phone (until you remotely wipe it and block it) basically owns your life and there is nothing you can do about it. You can lookup many articles on the subject. Not to mention that if someone used your phone then they already have access to your email accounts because I assume you have them auto-logged in for your phone to check new emails etc.

Conclusion: having your phone number for recovery does not compromise your security because if someone has access to your unlocked phone they already have access to your accounts, no need for recovery phone number…. If your phone is locked, then they have nothing.

A couple of notes I would like to add:

1) The phrases “use password manager”(as in a program/service that saves your passwords) and “proper security practices” (in my opinion) do not fit in the same sentence. If you use a password manager you have already compromised your security

2) If you are already use 2FA then you already provided the phone number.

Elkady
  • 146
  • 5
  • Can you elaborate (or point me to an answer elsewhere) why password managers and proper security practices do not go together? I'd think that the opposite is the case: a password manager is generally recommended best practice. – Fab Aug 25 '19 at 22:57
  • Password managers use 2-way encryption which means whichever passwords saved there can be compromised and decrypted. Same for passwords services companies online which gets compromised all the time. If a password can be retrieved it is inherently insecure. An example that come to mind is oldder versions of windows which used to store credentials using 2way encryption and was getting compromised. Modern operating systems use one way encryption to store passwords which means you can't retrieve the original password from encrypted version – Elkady Aug 27 '19 at 05:59
  • Password managers do introduce a single point of failure, but my impression is that expert consensus is that they're still better than not using a password manager. So, I stand by my comment that a password manager is generally recommended best practice. – Fab Sep 04 '19 at 11:31
  • Of course it is your choice, but definitely there is no security experts' consensus on using password managers. – Elkady Sep 05 '19 at 15:02
  • LastPass is the latest publicly discovered vulnerability: https://arstechnica.com/information-technology/2019/09/lastpass-fixes-bug-that-leaked-the-password-of-last-logged-in-account/ – Elkady Sep 17 '19 at 01:48
0

Yes, there are other reasons why you may need to use account recovery features.

If your email address and password show up in a password dump somewhere, (e.g. password reuse, phishing, etc), Google will most likely disable your password proactively and force you to use your secondary recovery option.

Also, if your 2FA alternative breaks (phone gets dropped in the toilet, you're stuck far away from your backup codes), you'll need a solid set of recovery alternatives: accounts with 2FA enabled have stricter recovery requirements.

I believe (though I don't remember for certain) that Google has both "suspicious sign-in prevented" as well as "suspicious activity detected" event categories. They could trigger on suspicious activity that wasn't the sign-in: say, for example, if you email all your contacts asking them to send you wire transfers. That would be plenty suspicious. (I don't know if they actually detect that, but it sounds sensible enough to look for).

tylerl
  • 82,225
  • 25
  • 148
  • 226
  • 1
    Sorry to say, but this is not really helpful: The OP says that they A) use a strong password using a Manager, so it is most likely not reused and B) when the phone gets dropped into the toilet, the recovery phone number is of no use. – Marcel Feb 02 '17 at 11:58
  • 1
    @Marcel: most mobile network providers allows you to get a replacement SIM card with the same phone number, so if you drop your phone on the toilet, that's not necessarily the end of the world. Depending on the security protocol of your mobile network provider though, they may fell to social engineering to provide an attacker with replacement SIM cards for numbers they don't actually own, but many require some sort of government photo ID and maybe a PIN. – Lie Ryan Feb 02 '17 at 14:08
  • 1
    Don't forget that there's SIM swapping. – Ryuu Jun 02 '20 at 07:50