Jump to content

Account Recovery

From Archive

Account Recovery

File:Password Safe Icon.svg
Your accounts are only as secure as your recovery options

Account Recovery is the process of regaining access to accounts when primary authentication fails. Preparation before lockout determines whether recovery takes minutes or weeks.

Prevention First

The best recovery is one you never need:

  • Password manager: Never forget passwords
  • Hardware keys: Harder to lose than phones
  • Multiple devices: 2FA on phone AND hardware key
  • Documentation: Know your recovery paths before you need them

Recovery Options by Priority

Option Speed Security Setup Required
Backup hardware key Instant Excellent Buy two, register both
Password manager Instant Good Maintain synced backups
Backup codes Instant Good Print and store securely
Recovery email Minutes-hours Moderate Secure the recovery email too
Recovery phone Minutes Moderate SIM swap risk
Support ticket Days-weeks Variable Last resort

Pre-Lockout Setup

Password Manager

Your password manager is the master key:

  • Use a strong master password you can remember
  • Enable 2FA on the password manager itself
  • Sync across devices
  • Keep encrypted backup export
Backup procedure:
1. Export vault (encrypted)
2. Store in multiple locations
3. Test restore annually

Hardware Keys

See Yubikey for details.

Critical: Register TWO hardware keys everywhere.

  • Keep one on keychain
  • Keep backup in secure location
  • Different physical locations preferred

Backup Codes

Most services offer one-time backup codes:

  • Generate when enabling 2FA
  • Print on paper
  • Store in secure physical location (not with your devices)
  • Store encrypted copy in password manager
Storage options:
- Safe at home
- Safe deposit box
- With trusted person
- Fire-resistant bag in go-bag

Recovery Email

Your recovery email needs to be:

  • Separate from primary email (different provider)
  • Protected with strong password + hardware key
  • Rarely used (harder to compromise)
  • Easy for you to access from anywhere

Common mistake: Using work email for personal account recovery. If you lose the job, you lose recovery.

Recovery Phone

Phone recovery is convenient but risky:

  • SIM swap attacks: Attacker convinces carrier to transfer your number
  • Phone loss/theft: Physical access to recovery
  • Number recycling: Old numbers get reassigned

Mitigation:

  • Add carrier PIN/password
  • Use hardware key as primary 2FA
  • Consider Google Voice or similar for recovery number

Service-Specific Recovery

Google Account

Critical account - protects Gmail, Drive, YouTube:

  • Hardware keys (primary)
  • Backup codes (printed)
  • Recovery email (not Gmail)
  • Recovery phone (with carrier PIN)
  • Trusted contacts (can vouch for you)

If locked out:

  1. Try backup codes
  2. Try recovery email
  3. Try recovery phone
  4. Account recovery form (slow, not guaranteed)

Apple ID

  • Trusted devices can approve new devices
  • Recovery contacts (iOS 15+)
  • Recovery key (optional, replaces other recovery)
  • Account Recovery via trusted devices

Warning: Recovery key disables other recovery methods. Only use if you're confident in key security.

GitHub

For developers, GitHub access is critical:

  • Hardware keys (FIDO2)
  • TOTP backup
  • Recovery codes
  • SSH keys (backup authentication method)

Financial Accounts

Banks vary widely:

  • Phone verification common
  • Security questions (use random answers stored in password manager)
  • Branch visit may be required
  • ID verification for major changes

Emergency Recovery Kit

Prepare a physical or encrypted digital kit: 

Recovery Kit Contents:
- Backup codes for critical accounts (printed)
- Password manager master password hint
- Recovery email credentials
- Hardware key backup
- List of critical accounts and recovery methods
- Emergency contacts who can help
- Bank account numbers and phone numbers

Storage:

  • Encrypted file in secure location
  • Paper copy in safe
  • Copy with trusted family member

Update annually.

When Locked Out

Immediate Steps

  1. Don't panic. Most lockouts are recoverable.
  2. Verify the lockout. Wrong password? 2FA device issue? Account suspended?
  3. Check other devices. Often you're still logged in somewhere.
  4. Try recovery options in order. Don't skip to support ticket.

Recovery Attempt Order

  1. Backup hardware key
  2. Other logged-in session
  3. Password manager
  4. Backup codes
  5. Recovery email
  6. Recovery phone
  7. Support ticket (last resort)

If Using Support

Be prepared for:

  • Identity verification
  • Account history questions
  • Document submission
  • Multi-day wait times

Document everything: Ticket numbers, agent names, promises made.

After Recovery

Once you regain access:

  1. Secure immediately: Change password, review sessions
  2. Audit access: Check for unauthorized activity
  3. Revoke sessions: Log out everywhere, start fresh
  4. Update recovery: Fix whatever failed
  5. Document lesson: What went wrong, how to prevent

Special Cases

Deceased User Access

Access to deceased person's accounts:

  • Most services have deceased user policies
  • Requires death certificate
  • May require court order
  • Plan ahead: include digital assets in estate planning

Corporate Account Recovery

Work accounts:

  • IT department is your recovery path
  • Personal backup may not be possible
  • Know your organization's policies
  • Don't rely on work accounts for personal recovery

Compromised Account

If locked out due to compromise:

  • Recovery is more complex
  • Attacker may have changed recovery options
  • Support ticket required
  • May need to prove identity extensively

See Digital Security Incident Runbook for full procedure.


Security & Opsec
Crypto PGP · PGP Communication Guide · Key Management
Incident Security Incident Runbook · Threat Modeling · Account Recovery
Hardware Flipper Zero · HackRF · Yubikey
Culture Hacker Culture · Operational Security
Retrieved from "https://archive.ejfox.com/index.php?title=Account_Recovery&oldid=435"