Set a recovery email and phone, enable 2-Step Verification, store backup codes, and add a passkey. These four moves prevent most lockouts and block the majority of account-takeover attempts. Do a Security Checkup and keep your number and secondary email current. You’ll also get warnings to your recovery email before any deletion under Google’s 2-year inactive policy.
Short Answer:
Go to myaccount.google.com → Security → Recovery email/phone, add both, then turn on 2-Step Verification, generate backup codes, and add a passkey. Finish with Security Checkup to confirm no gaps.
Table of Contents
Why recovery info matters
What “recovery” actually does
Recovery details aren’t just for “forgot password.” Google uses them to verify it’s you during suspicious sign-ins, to send critical alerts, and to guide you through account recovery if you’re locked out. A working recovery email or phone can be the difference between a two-minute fix and losing your account.
Numbers that move the needle
Google’s year-long study with academic partners found that adding a recovery phone number significantly cuts hijacking risk. Their data shows device challenges and SMS codes can block nearly all automated bot attacks and most phishing attempts.
- Adding a recovery phone helped block up to 100% of automated bots and 99% of bulk phishing in Google’s testing scope. On-device prompts were even stronger for targeted attacks.
The essentials to set up now
Add or update a recovery email
Desktop: My Account → Personal info → Email → Recovery email → add and verify. Make sure this inbox is one you actually use.
Android: Settings → Google → Manage your Google Account → Security → Recovery email.
Short Answer: Use a recovery email you check often. It receives security alerts and recovery links if you ever get locked out.
Add or update a recovery phone
Desktop: My Account → Personal info → Phone → add a number you control. Android path is the same menu as above via Security & sign-in.
Tip: if you recently changed numbers, Google may still allow codes to the old number for a short time so you can secure settings. Update your new number immediately.
Turn on 2-Step Verification and save backup codes
2SV adds a second check at sign-in. Set it up, then generate backup codes and store them offline. A single sheet of paper can save you when your phone is unavailable.
Add a passkey for password-less sign-ins
Passkeys are phishing-resistant and now the default sign-in option for personal Google Accounts. They work with your device’s screen lock or biometrics and can replace passwords in many cases.
Short Answer: After turning on 2SV, add a passkey on each device you trust. It’s faster and resists phishing better than passwords or SMS.
Step by step: Desktop and phone
Desktop: add recovery email and phone
- Visit myaccount.google.com → Personal info → Email → Recovery email → add and verify.
- Still in Personal info, open Phone → add a number → confirm.
Android: add recovery email and phone
Settings → Google → Manage your Google Account → Security & sign-in → Recovery email and Recovery phone. Follow the prompts.
iPhone: where these settings live
You can use the same myaccount.google.com web paths in Safari or Chrome on iOS. The steps are identical to desktop once you’re signed in.
Smart maintenance
If you changed your phone number
Update the recovery phone the same day you switch SIMs. Then generate new backup codes. This avoids recovery prompts going to a number you no longer control.
If you lost your phone
- Use a backup code to sign in and remove the lost device from your account.
- Re-add a new phone for 2SV and generate fresh backup codes.
If you used Google Authenticator, migrate or resync your codes to the new device using the in-app Transfer accounts flow.
If your account was hacked
Go straight to account recovery and answer as many questions as possible from a familiar device and location. Then change the password and review devices in Security Checkup.
Quarterly Security Checkup routine
Open Security Checkup, ensure recovery info is current, 2SV is on, and no unfamiliar devices or third-party app access remain. Five minutes, once a quarter.
Short Answer: Make a recurring reminder to run Security Checkup every three months and confirm your recovery email and phone still work.
Recovery vs 2SV vs passkeys: what’s what
| Thing | What it’s for | Best use | Pros | Cons |
|---|---|---|---|---|
| Recovery email | Identity checks and alerts | Password reset, unusual sign-ins | Simple, low friction | If unused or outdated, it fails when needed. |
| Recovery phone | Extra identity checks and codes | Password reset, step-up challenges | Blocks many attacks when combined with device prompts | SIM changes can cause issues; update promptly. |
| 2-Step Verification | Second factor at sign-in | Everyday protection | Huge risk drop; backup codes for emergencies | Slight extra step at login. |
| Passkeys | Password-less, phishing-resistant sign-ins | Primary login on trusted devices | Fast, secure by design | Set up per device. |
Which should you use?
Use all four: recovery email + phone for ownership checks, 2SV for daily defense, and passkeys for smoother, safer sign-ins. This stack covers both convenience and resilience.
High-risk users: Advanced Protection
Journalists, campaign staff, activists, public figures, and admins should consider Google’s Advanced Protection Program. It enforces stronger checks and is designed to resist targeted phishing. Passkeys now integrate into that experience.
Mini case studies
- SIM swap, no backup codes: a founder changed carriers and lost SMS access. Recovery failed until they used a printed backup code from a travel wallet. Lesson: always print backup codes.
- Old college email as recovery: a reader kept a defunct campus inbox as recovery and missed Google’s alerts. Updating to a current personal email fixed future resets.
- High-risk reporter: moved to Advanced Protection with passkeys before an election season. Recovery became stricter, but phishing attempts dropped off.
FAQ
How do I add a Google recovery email?
Go to Personal info → Email → Recovery email in your Google Account and verify it.
Where do I change my recovery phone?
Google Account → Personal info → Phone or on Android via Security & sign-in → Recovery phone.
Can I recover Gmail without my phone number?
Yes, use your recovery email, backup codes, or device prompts during account recovery. Answer as many questions as possible from a familiar device and location.
What are backup codes and where do I get them?
Single-use codes you can print or save offline. Find them under 2-Step Verification → Backup codes.
Are passkeys really default now?
Yes, Google moved to passkeys as a default sign-in option for personal accounts. You can still choose passwords if you prefer.
Will Google delete my account if I’m inactive?
Personal accounts inactive for 2 years may be deleted, with notifications sent in advance to your email and recovery email. Log in periodically.
How do I set my Google recovery email?
Open myaccount.google.com → Personal info → Email → Recovery email, add and verify. Takes under a minute.
How do I change my recovery phone on Google?
Go to Personal info → Phone on desktop or Security & sign-in → Recovery phone on Android, then edit.
What should I do before I lose access to my phone?
Enable 2SV, print backup codes, and add a recovery email. These let you back in even without your phone.
Are passkeys better than passwords?
Yes. They resist phishing and are now the default sign-in option for personal Google Accounts.
Will Google delete inactive accounts?
Personal accounts inactive for 2 years may be deleted. Log in and keep recovery info current.
Source: Google Help | Google Blog
