Keeping your Google account secure and accessible.

There are many among us who have lost access to their Google account due to one of the following reasons:

1. Forgetting the Password
2. Losing access to the listed recovery and verification options
3. Factory reset of their Android device
4. Account getting hacked
5. Account disabled for a perceived violation of Google's Terms of Service and/or any of its product-specific policies
6. Account disabled for unusual activities
7. Other cases

In this blog, I am going to do a deep dive into each of the issues mentioned above; sharing caveats and best practices to highlight important details through which you can not only keep your Google account secure but also accessible.

Forgetting the Password

The first thing to keep in mind is the Google Password Manager will not show you the password for the account you are signed into for security reasons.

 So, your options are:

• using a Passphrase that is easier for you to remember but difficult for others to guess by following the suggestions given in the linked articles referenced below.
• https://support.google.com/accounts/answer/32040.
• https://support.google.com/chrome/answer/7570435. 
• signing into the account from a non-Chrome browser and ensuring the password is saved under the browser's Password Manager.
• Firefox - https://support.mozilla.org/en-US/kb/password-manager-remember-delete-edit-logins. 
• Safari - https://support.apple.com/en-us/HT204085.
• For Chrome, ensure you save the password under a different Chrome profile by visiting https://passwords.google.com/ on another Google account of yours. 
• use a Password Manager application or software that you can access independently of your Google account.
• if you have the habit of writing down or saving your passwords in some place secure, do that. 

Note that remembering the password for your account is absolutely essential, because it sets the flow of the Google user-verification process going forward.

Losing access to the listed recovery and verification options

Preventing this from happening requires an understanding of your Google Account's security levels and ways  the Google user-verification process works.

The system is designed to verify your ownership credentials beyond all reasonable doubts, using the most secure process based on the highest security setting enabled on the account. 

Google offers three security levels for their personal Google accounts. 

1. The basic security which involves setting up a recovery email address and a recovery phone number. It is important to remember that the two recovery options are not replacements or substitutes of each other and are used for different purposes by and in the Google user-verification process. So, it is necessary to include both as recovery options and update them in case any of them becomes obsolete.
2. The Google 2-step verification security which involves setting up options such as Google Prompts on eligible devices, codes generated by HOTP/TOTP apps like Duo or any Authenticator app, codes delivered to your phone via a text message or a voice call, or a batch of offline, backup codes. Remember that there is a hierarchy of those options based on how secure they are and it helps to setup as many verification options as you can as each of them can be useful under different circumstances.
3. The Google Advanced Protection Program which involves setting up physical security keys or Passkeys. Because it offers the strictest security, it also offers the fewest alternative options to sign in to the Google Account. So, be aware of the verification options you have set up on the account and understand the implications of losing your verification options. If you are able to, use physical security keys. Until such time you are not sure of how the verification via Passkey works, it is best to not turn on the Skip password when possible option within the How you sign into Google section under the Security tab of this page - https://myaccount.google.com/security.  For Passkey FAQs, refer to https://support.google.com/accounts/community-guide/349677792/passkey-faqs?hl=en. 

Factory reset of their Android device

This is one of the common reasons/actions that causes one to lose access to their account. So, these are the things you must remember before performing a factory reset of your Android device.

• Do not  perform a factory reset for trivial reasons.
• Before performing the factory reset, ensure the account is signed into another device, albeit temporarily.
• Review this checklist on the options you need access to for signing in to your Google account after the factory reset based on the security level enabled on your Google account - https://support.google.com/accounts/thread/75668397?hl=en.

Note that remembering the password is very important during the sign-in process after factory reset. If you have forgotten the password, Google will not allow you to reset it from the recently reset device. You have to reset the password from another device where the account is signed in and then allow a 24-hour cool-down period before the new password can be used on the reset device for signing-in.

Account getting hacked

An account can be hacked through a variety of ways and not always by hackers. We see enough threads in the Google Account English Help Community where a disgruntled individual has assumed access of an account that's not rightfully theirs.

Some of the common reasons for getting your Google account hacked can be due to:

• Leaving your devices unlocked and unattended in the presence of others. 
• Sharing sensitive account related information such as password, OTP sent to your recovery email or phone number.
• Sharing access to any of the listed recovery/verification options listed in the account.
• Downloading unverified/malicious apps, scripts or software on your device and allowing them more than their necessary access/permission. Stay alert.
• Clicking on links included in suspicious emails which may trigger a download of virus, spyware, malware including Keyloggers. Stay alert. 
• Cookie theft is one of the common reasons. So, read about how hackers employ this to stay alert.
• Have your device and other peripherals checked on a regular basis. I suggest you consider running a strong Anti-virus, Anti-spyware, and Anti-malware on your computers and if you suspect something unnatural or suspicious, contact/visit support for your devices for a detailed check. You can also contact your ISP and Carrier (Mobile service provider) to ensure the settings are not compromised. For your Android,  keep the software updated, use strong screen lock, enable Play Protect, use secure, authorised app sources, and review app permissions regularly. 

We, the product experts, have noticed some recent trends with regards to hacked accounts which are important to mention here:

• Hackers are adding parental supervision to hacked accounts, thereby making it almost impossible to recover them.
• Hackers are setting factory reset instructions remotely on Android devices which were signed into the hacked addresses.

The only practical way to prevent a hacking of your account is by following the safe internet practices and remaining alert about the various things happening on your Google account and running the security checks the moment you suspect something. Google on their part offers you various options to keep your account secure and accessible. It is your responsibility to set them up on your Google account.

Account disabled for a perceived violation of Google's Terms of Service and/or any of its product-specific policies

Not many of us read either the Google's Terms of Service or any of its product-specific policies. The least we can do is to read this Help Centre article for a better understanding of the activities that can potentially get our accounts disabled and how to proceed when or if that happens - https://support.google.com/accounts/answer/40695?hl=en.

Unless the action constitutes an egregious violation where the account is instantly deleted, Google allows the user the option to submit a review appeal where the user can include their version of the incident or an explanation of it for the concerned team to review and decide accordingly.

A few things to note here:

1. The appeals form is the only way to contact the review team.
2. Submit your appeal seriously.  I recommend not to use phrases like "I don't know how it happened", "I'm sorry it happened" or "It won't happen again". Those do not help. 
3. Google may not offer you additional opportunities to appeal or look into additional reviews if there is already one pending.
4. You would typically receive a response from the team within a few days. If you do not receive any email from Google after a couple of weeks, it can be safely assumed that the review team has upheld the original decision. 
5. In all cases, the decision of the review team remains final and binding. 

Account disabled for unusual activities

Commonly, it means a sequence of actions that is unusual for the account in question. This is done to protect the account and allow the legitimate owner to reclaim ownership of the account by offering the necessary proof of ownership as discussed above.

A good way to avoid these incidents are to be careful not to perform any activities related to critical security settings and bulk actions specific to data maintained under various Google products and/or services. 

If an account is locked or disabled for unusual activities, the way to recover it via the Google Account recovery process, starting here - https://g.co/recover.  

It also means the usual rules of account recovery applies. Such as (among others):

• The knowledge of the password.
• Access to the recovery and verification options listed on the account.
• Attempt from a setup comprising of the device, network connection, and physical location the system considers trusted and through which the account was accessed recently.
• If the initial recovery attempt fails, retry after a minimum waiting period of 7 days (168 hours). Do not keep retrying. The system becomes more suspicious when an instance of unusual activity leading to a disabled account is followed by successive, unsuccessful recovery/sign-in attempts within a short period from a specific set-up. . 

Other cases

Normally involve cases like DOB change on the account or dormant/inactive accounts. 

If there is a DOB change on the account, where the changed DOB is under the minimum age to have a regular Google account based on the country of residence, three options are presented to the user:

1. Provide proof of age using any Government ID or Credit Card and return the account back to being a regular Google account. For more details, you can refer to 
• https://support.google.com/accounts/answer/1333913 and  https://support.google.com/accounts/answer/10071085.
• The system only offers you limited chances to verify your age using Govt ID. If/when you exhaust those options, the remaining option is to verify your age using the Credit Card. 
2. Keep the changed DOB on the account and add parental supervision to it. 
3. By doing nothing and allowing the account to be deleted by Google after a period of time. The system may offer you the chance to download data from select Google product and services prior to such deletion. Keep in mind that Google doesn't recycle deleted usernames. So, once that username is deleted by Google, you can't re-register that username in the future.

Dormant or inactive accounts are typically caused by life events or accounts mostly created for gaming or for use on social and non-Google platforms. Under all circumstances, it is important to remember that Google's inactive accounts policy considers an account as inactive if it has not been used within a 2-year period. When that happens, Google reserves the right to delete an inactive Google Account and its activity and data. Google also reserves the right to delete data in a product if you are inactive in that product for at least two years. This is determined based on each product's inactivity policies.

So, irrespective of whether you use your Google account for gaming or for some activities on other platforms, it is imperative to comply with this policy as the loss of your Google account/Gmail address will impact your access in that third-party platform whether you happen to sign in directly, or use the Sign in with Google option.

What further complicates the recovery of a dormant/inactive account is the similarity of the situation with a very common hacking scenario, where a sign-in is attempted after a long period of time, with or without the knowledge of the password, using a setup the system doesn't recognise, with no access to one/both recovery options. The system notices all of the above and automatically there are enough doubts to deny your account recovery attempts.

I look forward to your thoughts on this topic in the comments section.