Redazione RHC : 19 October 2025 18:38
A new Gmail security feature will allow users to restore access to their accounts with the help of friends or family. Trusted contacts (Recovery Contacts) can be used to obtain recovery codes when other methods aren’t available.
Each user can specify up to 10 trusted contacts per account and can also act as a trusted contact for up to 25 other accounts.
Recently, Google and other major market players have actively promoted the use of passkeys , seen as a replacement for traditional passwords. This technology is considered the future of authentication.
The problem, however, is that people regularly lose their devices. And if a user loses a smartphone, they can’t quickly access other email accounts or SMS messages containing one-time codes, potentially losing access to their email.
“Passkey represents a big step toward a passwordless future,” Google writes. “Trusted recovery contacts offer another reliable and secure option (in addition to existing tools) to help you regain access to your account when other methods fail. We understand the stress of losing access to your account and are continuing to work on new solutions to make recovery more reliable, while maintaining Google’s high standards of privacy and security.”
Company engineers report that users can now specify trusted account recovery contacts who will assist them in restoring access to their account. The trusted contact will receive a notification requesting account recovery assistance and will be required to confirm the authenticity of the request using a code provided by the user.
Verification will be based on a comparison of numeric codes. The trusted contact will be shown three codes and will be asked to select the one provided by the user.
Google emphasizes that trusted contacts must have a strong understanding of cybersecurity. The company also recommends choosing people who can respond within 15 minutes of sending the request. After 15 minutes, the request will expire, and the user will need to resend the code to the same contact or choose a different one.
There is a risk that the account recovery feature via trusted contacts could be misused by attackers using social engineering techniques (if the contact is not observant enough to recognize the scam).
For example, an attacker could initiate an account recovery process and send a recovery code to a trusted contact via an unknown phone number, supposedly belonging to a friend of the victim, or by spoofing an email address. If the trusted contact falls for the scam, the account could be hijacked.
To prevent such attacks, Google will use additional controls. Before approving a request, the company will analyze the device’s history, location, and IP address to determine the legitimacy of the recovery attempt and may also request additional verification.
It should also be noted that even if a trusted contact approves the request, the account may still be locked for security verification, giving the true account owner more time to confirm the legitimacy of the recovery attempt.
The new feature isn’t available for Google Workspace business accounts. Although Google doesn’t mention it in its press release, accounts enrolled in the Advanced Protection Program and Google Workspace accounts can’t set up trusted recovery contacts, but they can be used to recover other accounts.
Additionally, you can’t use a child’s account for recovery, and children won’t be able to add trusted contacts to themselves.
Redazione