Google has rolled out a new Gmail security feature that allows users to regain access to their accounts through trusted friends or family members.
The new feature, called “Trusted Recovery Contacts,” lets users designate up to 10 people they trust to help them recover their Google accounts in case of lockouts. The update comes as Google continues its global transition toward passkeys, a security mechanism that replaces traditional passwords with biometric or device-based authentication.
However, passkeys present a practical challenge: losing the registered device can leave users stranded, unable to access their email, messages, or two-factor authentication apps. Google’s new recovery feature aims to address precisely that gap by introducing a human layer of trust into its digital security ecosystem.
“Recovery Contacts adds another trusted, secure option on top of our existing tools, helping you regain access when other methods aren’t available,” Google stated in an official blog post.
FCRF Launches CCLP Program to Train India’s Next Generation of Cyber Law Practitioners
How the Trusted Recovery System Works
Once the feature is enabled, users can choose which contact they want to help them with the recovery process. Google will generate a unique recovery code, which the user shares with the chosen contact.
The recovery contact then receives a notification from Google prompting them to assist. To verify the legitimacy of the request, the contact is shown three possible codes and must select the one that matches the code the user provided.
This number-matching authentication ensures that the contact is responding to a genuine request and not a phishing attempt.
Google recommends that users select people who are available and responsive, as the code expires after 15 minutes. Once expired, the user must either resend a new code or choose another contact.
Each Google account can have up to 10 recovery contacts and a user can serve as a recovery contact for up to 25 other accounts.
Security and Limitations
While the Trusted Recovery Contacts feature is designed with multiple safeguards, Google acknowledges potential risks if the contact themselves falls for social engineering.
For instance, a hacker could impersonate a friend through a spoofed email or phone number, tricking the recovery contact into approving a fraudulent request. However, Google says it deploys additional risk assessment checks including device history, IP addresses, and geolocation — to flag suspicious recovery attempts.
Even after a contact approves a recovery request, Google may place the account on a temporary security hold, giving the legitimate owner time to verify the authenticity of the process.
The feature is currently limited to personal Gmail accounts. Users with Google Workspace or Advanced Protection Program accounts cannot use the feature to recover their own accounts, but they can still serve as recovery contacts for others.
Additionally, children’s accounts are excluded from both adding and being added as trusted contacts.
A Step Toward a Passwordless Future
The introduction of trusted recovery contacts is part of Google’s broader cybersecurity evolution strategy, which centers around passkeys and zero-trust authentication.
Passkeys, which rely on device-based cryptographic authentication rather than passwords, are seen as a major step forward for digital security. However, as users lose devices or change hardware, recovery has emerged as a major friction point.
By bringing social trust into the recovery process, Google is merging human networks with digital safeguards a move security analysts say could redefine usability in cybersecurity.
“Passkeys have been one big step toward that password-free future,” Google explained. “Recovery Contacts adds another trusted, secure option on top of our existing tools, helping you regain access when other methods aren’t available.”
The feature is rolling out globally in phases this month, and early users can already access it in their Gmail settings.
