Account Recovery
Account Recovery
Account Recovery is the process of regaining access to accounts when primary authentication fails. Preparation before lockout determines whether recovery takes minutes or weeks.
Prevention First
The best recovery is one you never need:
- Password manager: Never forget passwords
- Hardware keys: Harder to lose than phones
- Multiple devices: 2FA on phone AND hardware key
- Documentation: Know your recovery paths before you need them
Recovery Options by Priority
| Option | Speed | Security | Setup Required |
|---|---|---|---|
| Backup hardware key | Instant | Excellent | Buy two, register both |
| Password manager | Instant | Good | Maintain synced backups |
| Backup codes | Instant | Good | Print and store securely |
| Recovery email | Minutes-hours | Moderate | Secure the recovery email too |
| Recovery phone | Minutes | Moderate | SIM swap risk |
| Support ticket | Days-weeks | Variable | Last resort |
Pre-Lockout Setup
Password Manager
Your password manager is the master key:
- Use a strong master password you can remember
- Enable 2FA on the password manager itself
- Sync across devices
- Keep encrypted backup export
Backup procedure: 1. Export vault (encrypted) 2. Store in multiple locations 3. Test restore annually
Hardware Keys
See Yubikey for details.
Critical: Register TWO hardware keys everywhere.
- Keep one on keychain
- Keep backup in secure location
- Different physical locations preferred
Backup Codes
Most services offer one-time backup codes:
- Generate when enabling 2FA
- Print on paper
- Store in secure physical location (not with your devices)
- Store encrypted copy in password manager
Storage options: - Safe at home - Safe deposit box - With trusted person - Fire-resistant bag in go-bag
Recovery Email
Your recovery email needs to be:
- Separate from primary email (different provider)
- Protected with strong password + hardware key
- Rarely used (harder to compromise)
- Easy for you to access from anywhere
Common mistake: Using work email for personal account recovery. If you lose the job, you lose recovery.
Recovery Phone
Phone recovery is convenient but risky:
- SIM swap attacks: Attacker convinces carrier to transfer your number
- Phone loss/theft: Physical access to recovery
- Number recycling: Old numbers get reassigned
Mitigation:
- Add carrier PIN/password
- Use hardware key as primary 2FA
- Consider Google Voice or similar for recovery number
Service-Specific Recovery
Google Account
Critical account - protects Gmail, Drive, YouTube:
- Hardware keys (primary)
- Backup codes (printed)
- Recovery email (not Gmail)
- Recovery phone (with carrier PIN)
- Trusted contacts (can vouch for you)
If locked out:
- Try backup codes
- Try recovery email
- Try recovery phone
- Account recovery form (slow, not guaranteed)
Apple ID
- Trusted devices can approve new devices
- Recovery contacts (iOS 15+)
- Recovery key (optional, replaces other recovery)
- Account Recovery via trusted devices
Warning: Recovery key disables other recovery methods. Only use if you're confident in key security.
GitHub
For developers, GitHub access is critical:
- Hardware keys (FIDO2)
- TOTP backup
- Recovery codes
- SSH keys (backup authentication method)
Financial Accounts
Banks vary widely:
- Phone verification common
- Security questions (use random answers stored in password manager)
- Branch visit may be required
- ID verification for major changes
Emergency Recovery Kit
Prepare a physical or encrypted digital kit:
Recovery Kit Contents: - Backup codes for critical accounts (printed) - Password manager master password hint - Recovery email credentials - Hardware key backup - List of critical accounts and recovery methods - Emergency contacts who can help - Bank account numbers and phone numbers
Storage:
- Encrypted file in secure location
- Paper copy in safe
- Copy with trusted family member
Update annually.
When Locked Out
Immediate Steps
- Don't panic. Most lockouts are recoverable.
- Verify the lockout. Wrong password? 2FA device issue? Account suspended?
- Check other devices. Often you're still logged in somewhere.
- Try recovery options in order. Don't skip to support ticket.
Recovery Attempt Order
- Backup hardware key
- Other logged-in session
- Password manager
- Backup codes
- Recovery email
- Recovery phone
- Support ticket (last resort)
If Using Support
Be prepared for:
- Identity verification
- Account history questions
- Document submission
- Multi-day wait times
Document everything: Ticket numbers, agent names, promises made.
After Recovery
Once you regain access:
- Secure immediately: Change password, review sessions
- Audit access: Check for unauthorized activity
- Revoke sessions: Log out everywhere, start fresh
- Update recovery: Fix whatever failed
- Document lesson: What went wrong, how to prevent
Special Cases
Deceased User Access
Access to deceased person's accounts:
- Most services have deceased user policies
- Requires death certificate
- May require court order
- Plan ahead: include digital assets in estate planning
Corporate Account Recovery
Work accounts:
- IT department is your recovery path
- Personal backup may not be possible
- Know your organization's policies
- Don't rely on work accounts for personal recovery
Compromised Account
If locked out due to compromise:
- Recovery is more complex
- Attacker may have changed recovery options
- Support ticket required
- May need to prove identity extensively
See Digital Security Incident Runbook for full procedure.
Related
- Key Management - Protecting your keys
- Yubikey - Hardware authentication
- PGP - Encrypted backup
- Digital Security Incident Runbook - When things go wrong
| Security & Opsec | |
|---|---|
| Crypto | PGP · PGP Communication Guide · Key Management |
| Incident | Security Incident Runbook · Threat Modeling · Account Recovery |
| Hardware | Flipper Zero · HackRF · Yubikey |
| Culture | Hacker Culture · Operational Security |