Google has introduced Recovery Contacts, a new way for users to regain access to a locked Google Account by asking trusted friends or family members to confirm their identity.
What Google Has Announced
Google says Recovery Contacts is “a new option that lets users choose trusted friends or family members to help if they ever get locked out of their Google Account.” It is designed for situations where standard recovery routes, such as SMS codes or a passkey on a lost phone, are not available. The feature is rolling out now and can be set up at g.co/recovery-contacts for eligible personal accounts.
How Recovery Contacts Works
In terms of how it’s supposed to work, Google says users nominate people they trust as recovery contacts in the Security & sign-in section of their Google Account. If a user becomes locked out, they can select one of those contacts during the recovery flow and tap “Get number.” Google then shows a code that expires after 15 minutes. The user shares that code with their contact, who will see three options on their device and must choose the one that matches. If the correct number is selected, Google says it treats that as a strong signal of legitimate identity and proceeds with account recovery. Recovery contacts cannot see any data or access the user’s account at any stage.
Limits, Timing and Eligibility
Google says several safeguards have been put in place to prevent misuse. For example, up to 10 recovery contacts can be added, and each person must accept the invitation before being included. After acceptance, there is a seven-day waiting period before that contact becomes active for recovery. If someone declines, the user must wait four days before sending another invite. When a recovery contact is used, the code received is valid for only 15 minutes, meaning both parties must act promptly. Google notes that child accounts, Advanced Protection accounts, and Google Workspace accounts cannot add recovery contacts, although those same accounts can still serve as a contact for someone else. A single person can act as a recovery contact for up to 25 different primary accounts.
Why Is Google Doing This Now?
Account recovery has long been one of the most stressful aspects of online account management and many users lose access when their phone number changes or a device with a passkey is lost. Google says the goal is to “strengthen account recovery and ensure access when it matters most.” The company has been steadily building towards a password-free future through technologies such as passkeys, and Recovery Contacts adds another layer of reassurance.
The move actually forms part of a wider package of privacy and security updates announced in mid-October, which also includes “Sign in with Mobile Number” for Android, spam link detection in Google Messages, and a “Key Verifier” for confirming encrypted chats. These collectively aim to reduce both account lockouts and the success rate of scams targeting Android users.
A New Type of Recovery
Traditionally, account recovery has relied on “something you have” such as a phone, or “something you know” such as a password. The difference with Recovery Contacts is that it introduces “someone you trust” into the process, i.e., it formalises what many people already do informally when locked out, which is turning to a friend for help. Google describes it as “a simple, secure way to turn to people you trust when other recovery options aren’t available.”
The Practical Benefits
For everyday users, Recovery Contacts should provide a safety net against permanent lockout from accounts holding vital information such as photos, documents and personal messages. The short validity of the recovery code makes it difficult for attackers to intercept, and the multiple-choice verification on the contact’s device prevents accidental approval of a fraudulent request.
For Android users, the linked “Sign in with Mobile Number” feature adds another useful safeguard in that it identifies all accounts linked with a particular phone number and allows verification using the previous device’s lock-screen passcode or pattern. This feature is being rolled out globally.
Who Can Use It and When
Recovery Contacts are rolling out now, though not every account will see the feature immediately. Google advises users to check eligibility through their account settings. Personal accounts are the primary focus, while Google Workspace and Advanced Protection users remain excluded. Workspace environments typically use hardware keys and administrator-managed recovery processes, which are considered more appropriate for professional use.
Business Users
For small businesses and sole traders using personal Google Accounts, Recovery Contacts could offer a straightforward but effective layer of protection. For example, losing access to a main account could halt operations if email and documents are tied to it, potentially costing time and money. Adding trusted family members or colleagues could, therefore, prevent prolonged downtime.
However, for organisations using Google Workspace, there is currently no change. Workspace recovery processes remain under administrator control, built around strict security policies that do not permit social recovery mechanisms. The seven-day activation delay after adding a contact also means businesses should prepare in advance rather than waiting until an issue arises.
Competitors and Industry Context
Apple actually introduced a similar system for iCloud users back in 2021, allowing trusted contacts to verify identity for Apple ID recovery. Meta also experimented with “trusted contacts” for Facebook accounts, although that feature was later discontinued. By adopting a comparable model, Google is bringing its ecosystem closer in line with other major platforms while maintaining a strong emphasis on user privacy.
Industry analysts note that this reflects a broader trend toward combining human trust with technical verification. While passkeys and biometrics have strengthened access control, human-assisted recovery provides a fallback that purely technological solutions cannot always guarantee.
Security Considerations and Criticisms
Cybersecurity experts, however, caution that introducing a human element can open new avenues for manipulation. For example, social engineering, where attackers trick people into taking harmful actions, remains a major risk. A fraudster could attempt to pressure a recovery contact into approving a request within the 15-minute window.
That said, Google has added several protections to counter this. For example, the contact must choose the correct number from three randomised options, making it harder to fake a legitimate request. Temporary security holds may also trigger if suspicious activity is detected, giving the account owner time to intervene. The mandatory waiting periods between invitations and activations slow down potential large-scale exploitation attempts.
Security specialists recommend selecting contacts carefully and ensuring those individuals understand the verification process. Any unexpected recovery request should be confirmed through another communication channel before approval.
A Broader Anti-Scam Backdrop
Recovery Contacts appears to sit within Google’s wider effort to limit scams and unauthorised access across its services. Alongside the new recovery feature, the company has expanded phishing and spam protections in Google Messages, adding link warnings and QR-based encryption verification. It has also launched “Be Scam Ready,” an interactive game designed to help people recognise fraudulent tactics before falling victim to them.
What Google Says
In announcing the feature, Google Product Manager Claire Forszt and Group Product Manager Sriram Karra said, “It’s a simple, secure way to turn to people you trust when other recovery options aren’t available.” They also emphasised that recovery contacts “will not have access to your account or any of your personal information,” presenting the feature as another step toward “a password-free future” where account access remains reliable even if devices are lost.
The Key Takeaway for Users
In terms of the key takeaway from Google’s announcement of this feature, individuals with personal Google Accounts are basically being encouraged to set up Recovery Contacts in advance to avoid disruption later. Adding at least two trusted people, ideally those easy to reach quickly, can provide an effective safeguard if account access is lost. Users should also ensure their recovery phone numbers and email addresses are up to date and enable passkeys for secure sign-in wherever possible.
For business users, particularly those on Workspace, existing enterprise recovery policies remain the standard route. That said, Recovery Contacts reflects how identity verification is evolving toward a trust-based model. As accounts become increasingly linked to devices and biometrics, social recovery may soon become a common feature across all major digital ecosystems.
What Does This Mean For Your Business?
The introduction of Recovery Contacts highlights how identity management is now expanding beyond devices and credentials to include human trust as part of digital security. By creating a formal mechanism for involving trusted individuals in account recovery, Google is addressing one of the most frustrating weak points in its ecosystem: the difficulty of regaining access when every technical safeguard fails. This may also signal that major platforms are beginning to view social verification as a legitimate part of cybersecurity, not simply an emergency workaround.
For UK businesses, the change could have mixed implications. For example, sole traders and micro-businesses that still depend on personal Google Accounts gain an extra safety net that could prevent costly downtime if an account is locked. Larger organisations using Workspace, on the other hand, will see little change for now, as enterprise-grade recovery remains tied to administrative controls and hardware security keys. However, as account recovery becomes more reliable for individuals, it could also encourage stronger adoption of passkeys and multi-factor authentication across small firms that have previously avoided them for fear of being locked out.
The move will likely put pressure on other technology providers to strengthen their recovery options while maintaining user privacy. Apple’s earlier adoption of a similar approach shows that users expect this kind of fallback, and Google’s rollout makes it effectively mainstream. For cybersecurity professionals, it raises fresh questions about how to balance convenience and human trust without increasing the risk of manipulation. While the layered protections Google has built in should deter most opportunistic attacks, the feature still depends on the judgement and caution of the chosen contact.
In a broader sense, Recovery Contacts shows that security design is becoming more people-centred. The addition of human trust to the authentication process reflects an acknowledgment that no digital system can ever be entirely self-sufficient. For users, it introduces a practical, transparent safeguard that may one day be as familiar as password resets or two-factor codes. For Google, it reinforces its role as a standard-setter in account protection and signals a future where human support becomes a built-in part of online identity recovery rather than an afterthought.