Google has introduced Recovery Contacts, a new option that helps users regain access to a locked Google Account by having trusted friends or family verify their identity.

What Google Has Announced

According to Google, Recovery Contacts let users “choose trusted friends or family members to help if they ever get locked out of their Google Account.” It is intended for situations where usual recovery methods like SMS codes or passkeys on a lost device aren’t available. The feature is rolling out now for eligible personal accounts and can be set up via g.co/recovery-contacts.

How Recovery Contacts Works

Users select trusted individuals as recovery contacts in the Security & sign-in section of their Google Account. If they lose access, they can choose one of these contacts during the recovery process and tap “Get number.” Google then displays a code valid for only 15 minutes. The user shares this with the contact, who must match that code from three options shown on their device. Selecting the correct number signals a legitimate recovery attempt, allowing Google to proceed. Recovery contacts cannot view or access any account data.

Limits, Timing and Eligibility

Google has built safeguards to prevent misuse:

• Up to 10 recovery contacts can be added, but each must approve the request
• A seven-day waiting period applies before a contact becomes active
• If an invitation is declined, users must wait four days before sending another
• Recovery codes expire after 15 minutes
• Child accounts, Advanced Protection accounts, and Google Workspace accounts cannot add contacts (but can serve as one)
• One person can act as a recovery contact for up to 25 accounts

Why Is Google Doing This?

Account recovery remains one of the most stressful parts of digital life — and users frequently get locked out after losing access to phone numbers or passkey devices. Google says its goal is to “strengthen account recovery and ensure access when it matters most.” As the company pushes toward a password-free future, Recovery Contacts offers an important fallback.

This feature is part of a broader security upgrade announced in mid-October, including “Sign in with Mobile Number,” enhanced spam detection in Google Messages, and a “Key Verifier” for encrypted chat validation. The updates aim to reduce both account lockouts and scams targeting Android users.

A New Type of Recovery

Traditional recovery relies on something you know (password) or something you have (phone). Recovery Contacts adds a third element: someone you trust. It formalises the real-world behaviour of turning to a friend when locked out. Google calls it “a simple, secure way to turn to people you trust when other recovery options aren’t available.”

The Practical Benefits

Recovery Contacts helps protect access to essential accounts — storing photos, documents, and messages — reducing the risk of permanent lockout. Short-lived codes and multiple-choice verification help block fraud and accidental approval.

For Android users, “Sign in with Mobile Number” identifies accounts linked to a phone number and allows sign-in using the previous device’s screen lock. This is rolling out globally.

Who Can Use It and When?

The rollout is gradual, and eligibility may vary. Personal accounts are the priority, while Workspace and Advanced Protection users are excluded since those environments rely on stricter, administrator-controlled recovery methods.

Business Users

For small businesses or sole traders using personal Google Accounts, Recovery Contacts offer a simple but effective backup. Losing access to an account with business email or files can cause downtime — and trusted contacts can help prevent that.

Workspace users will see no change, as enterprise recovery follows established, higher-security processes. The seven-day activation delay also means businesses should set up contacts early rather than wait for a crisis.

Competitors and Industry Context

Apple introduced “Account Recovery Contacts” for iCloud in 2021, and Meta previously offered a similar Facebook feature. Google is now aligning with industry peers while maintaining strong safeguards.

Experts note that combining human trust with technical verification reflects a wider trend — acknowledging that fail-proof automated recovery doesn’t always exist.

Security Considerations and Criticism

Introducing people into a security process raises risks — especially social engineering, where attackers manipulate contacts into approving fraudulent requests. A criminal could pressure a contact to respond within the 15-minute window.

Google addresses this with:

• randomised multiple-choice verification
• temporary security holds for suspicious activity
• enforced waiting periods for invitations and activations

Users should choose contacts carefully and double-check any unexpected recovery request through another communication channel.

A Broader Anti-Scam Strategy

Recovery Contacts complements Google’s wider anti-fraud efforts, including enhanced spam protection in Messages, QR encryption verification, and the new “Be Scam Ready” interactive training tool.

What Google Says

Google’s Claire Forszt and Sriram Karra describe the feature as “simple” and “secure,” adding that contacts “will not have access to your account or any of your personal information.” It supports a vision of a password-free future where access is still reliable even if devices are lost.

Key Takeaway for Users

Google is encouraging personal account holders to set up Recovery Contacts proactively. Adding at least two trusted individuals — ideally easy to reach quickly — provides a valuable safety net. Users should also maintain up-to-date recovery phone numbers and email addresses and enable passkeys for added security.

Workspace-based organisations will continue using their existing recovery frameworks, but the shift toward social recovery highlights how digital identity is evolving.

What Does This Mean for Your Business?

Recovery Contacts show that identity management now includes people as a deliberate security component. Google is addressing a long-standing pain point: regaining access when all else fails. This may also signal growing acceptance of trust-based verification within cybersecurity.

For small UK businesses relying on personal Google Accounts, the feature adds resilience and may even encourage wider adoption of passkeys and multi-factor authentication. For larger organisations using Workspace, there’s no operational change but the trend points to future improvements in cloud recovery UX.

Overall, Recovery Contacts demonstrates a more people centred approach to security. By formally integrating trusted human support into account recovery, Google reinforces its leadership in protecting access and sets expectations for others to follow.