Are Gmail's account recovery options insecure and mostly useless?

[snowhiker]

My main email account had a really simple password. Something like: "xxabc1234." Seriously that simple. Since 2009. And for three years before that it was "xxabc123." Never any issues, but I figured it was time for a change. So I decided to change the passwords and recovery options on all five email addresses I have and I discovered something face-palm-worthy:

Gmail's Account recovery options (alternate email or phone number) can be changed once you are logged in without an "authorization code" being sent to the OLD alt-email/phone# accounts to authenticate the change to the NEW alt-email/phone#. If a hacker gets into my account can they simply change the alternate email and phone number to theirs and lock me out?

After your alternate email or phone# are changed you do receive a message to those accounts saying your recovery email or phone were changed and that you can recover your account by clicking a link in the message. But how long will that link work? A day or week? I've gone on two week vacations and did not check any email or phone, would I be locked out permanently? Will I always be able to recover my account using the "original" recovery email/phone# no matter how long ago they were changed? What if recovery email/phone# where changed multiple times will any of those older options work to recover my account or will only the most current recovery accounts work?

Account recovery only seems to be useful if I forgot my password and lock myself out. If a hacker gains access they can lock me out.

Yes I know about 2FA. Password and phone number needed to gain access to my account. I guess I need to replace my "emergency's-only" pre-paid phone.

Is 2FA the only way to secure a Gmail account?
Any alternate web-based email options available that have better/more secure account recovery options?

 

[Handruin]

The process you're going through to secure your primary account is a good one. The password you use should really be considered irrelevant these days given how often these items are compromised at various locations. The place where you should focus is the 2FA and understand the weaknesses in that area to secure yourself to the point that breaches from hackers and phishing techniques are reduced as much as possible.

Google does a decent job with the heuristics of account access from different devices and different IP locations. Should can see some of their behaviour if you were to use a different browser, phone, and/or a different IP via a VPN for example. This is by no means foolproof but they do a decent job of alerting the individual when access to your account has an entry point that is unrecognized.

Your concern about the authentication of changing the backup email and phone number is part of the risk. Perhaps they could do this better but for whatever reasons they felt it wasn't worth implementing. What it sounds like you're asking is to have your backup email account and/or phone number be enabled as a 2FA source. I don't feel doing that is warranted because if you really want to harden your account, I would recommend you actually remove your phone number as a recovery option. Mobile device sim swapping is incredibly easy for hacker groups and should not be considered a reliable method for backup account access.

Yes, 2FA is the main way to secure your Google account and I would encourage you to look into a hardware token as the means for securing your account. I discusses this a bit in my semi-recent post about the Yubico YubiKey for 2FA account security. I've since removed my mobile number as a means for account recovery and only use the YubiKey (two of them) and static backup codes as the means for account recovery. If you have any questions about it let me know and I'll try my best to answer them.

 

[sechs]

One thing that I did was have all new logins confirmed with the Google app on my phone. Anyone trying to access my account needs the password, 2FA, and access to my phone.

While not foolproof, it's a lot of ground for someone to cover.

 

[Handruin]

That should work well. I don't think it would help you with the more sophisticated phishing attacks that go around with someone trying to get your 2FA code.

 

[sechs]

The user is pretty much always the weakest link in security....

 

[Handruin]

I agree. The point I was getting at was to mitigate those sophisticated phishing attempts, a hardware key can potential save you (or I) from us being the weakest link.

 

[LunarMist]

Mentally or physically?

 

[Handruin]

In this case both. Mentally weak in not recognizing the phishing attempt and physically stopping the phishing attack because the key won't work.