editione1.0.0
Updated October 9, 2023Assuming that the steps outlined above have been followed, it is unlikely that you would lose your password at this point—your password is stored safely, and two-factor authenticated to boot.
Account recovery options for a service allow a user to have a backup email or other contact information, or answers to questions on file with the service, to recover access in the event the user forgets a password or otherwise loses access to the account.
danger Setting up account recovery options securely is important because these settings could give an attacker an alternate way to access your account—even if they don’t have your password.
Correct account recovery options are also needed in the unlikely situation that account access is lost. Think about losing your unlocked laptop that was already logged into your email. The very first thing that an attacker may do is change your password. In that heart-dropping moment, you want to be able to confidently get back in without having to remember how to get access to that old, defunct email account you set as your account recovery option.
danger Watch out for out-of-date recovery options on accounts. If you haven’t checked your account recovery options lately, you might find it is set to an old email address.
I will admit this was the case for me when I recently logged into an old account that helpfully prompted me to check my old recovery settings. I was a bit surprised to see an old work email pop up when that hasn’t been active in a very long time. Out-of-date recovery options could be an old email address that you have not protected, or an email address for a domain you no longer own. Registering for old, orphaned business domains and then seeing what mail is sent is a common way for attackers to try and harvest data and accounts. Just because you stopped paying for it, doesn’t mean other people or accounts stopped trying to send data to it.
Good account recovery options will have the requester verify the account recovery email or phone number before sending the code, and will lock you out or require a manual verification process (such as calling) if the number of failed responses is too high. This adds a layer of difficulty in case an attacker is guessing their way through prompts, or trying to skip methods to find one that is easier to bypass.
Bad account recovery options include the use of knowledge-based recovery questions. We talked about these earlier in the context of 2FA, but this situation is a bit different—this may be your only option for account recovery and thus unavoidable. In this case, your best bet is to use random (and untrue) values.
confusion These security questions are testing your identity, not the truthfulness of your responses. An attacker might know that your old high school was Coral Springs Charter, but no one but you would know that your response to that question is “correct horse battery staple.” And the best place to store those answers? Yep, you guessed it: your password manager.
We covered a lot of different options for securing your email account, so what option works best for you? You will be limited by what is actually available to configure, and you want to find a configuration that works best for you. Although using a YubiKey offers your highest level of protection, it is not for everyone and it might cause more friction. The table below is a summary of different configuration options you will come across, the rough level of effort they require, and the level of protection they provide.
| How to access your account | Level of effort to use | Level of protection | Examples |
|---|---|---|---|
| Physical security key | ◼︎◼︎◼︎ Highest | 🟢 Highest | YubiKey, Titan Security Keys |
| One-time password via app | ◼︎◼︎︎︎ Moderate | 🟠 Moderate | Google Auth, Authy, Password Manager |
| Push notifications | ◼︎◼︎︎︎ Moderate | 🟠 Moderate | Account-specific apps (Microsoft Auth, Google Prompt) |
| One-time password via text message/SMS | ◼︎◼︎︎︎ Moderate | 🔴 Low | Any message app that allows SMS/text |
| Backup codes for 2FA* | ◼︎◼︎︎︎ Moderate | 🟢 High | Auto-generated, long, random characters |
| Knowledge-based questions | ◼︎ Low | 🔴 Low | Name of your first pet, mother’s maiden name |
| Recovery via email/phone call† | ◼︎ Low | 🟢 High | Verification sent to alternative email or manual phone call |
| Recovery via knowledge-based questions (real answers)† | ◼︎ Low | 🔴 Low | Name of your first pet: Laika |
| Recovery via knowledge-based questions (fake answers)† | ◼︎◼︎︎︎ Moderate | 🟠 Moderate | Name of your first pet: c7zf-yaUS# |
*Required.
†If you have 2FA turned on, backup codes would be used for recovery first.
The last step to protecting your email is to manage and control access to your email by third-party applications.
Third-party access is when you grant permission to your email provider to share access to your information with another service.
Third-party access is coming up more and more as small web applications are popping up and relying on larger identity providers to manage access for them. One of the most common identity providers used is an email provider, such as Google or Microsoft. This is perfectly legitimate, and something we will recommend to you in later chapters when faced with creating a user login function for your system.