How to lock down your email account recovery
Why this matters
Your email is the master key to everything else. Password resets for your bank, iCloud, Google, and social media all go to your email. If someone gains control of your email account — even through your recovery options — they can reset and take over every other account.
Recovery phone numbers are particularly risky: SIM swapping can redirect them. Recovery email addresses are risky if they have weaker security than your main account.
How to do it
- Open your email provider’s security settings:
- Gmail: myaccount.google.com/security
- iCloud: appleid.apple.com
- Outlook: account.microsoft.com/security
- Review recovery phone numbers. If any are old or shared, remove them. If you keep a recovery phone, make sure it’s on an account with 2FA.
- Review recovery email addresses. They should have at least as strong security as your main account.
- Check “devices with access” and remove any you don’t recognize or no longer use.
- Check “apps with access” and revoke any you don’t recognize.
- Enable 2FA if you haven’t already (see the 2FA recommendation).
What you don’t need
You don’t need to remove all recovery options — having none means you could lose your account forever if you’re locked out. You need recovery options that are as secure as the account itself.
Open your email's security settings and confirm the recovery phone/email shown is one you control and trust.
Frequently asked questions
Why does email matter so much?
Email is the master key. Password reset emails go there. If someone takes over your email, they can reset the password to every other account you have.
What's a recovery email and why is it risky?
A recovery email is a fallback address that can be used to regain access to your account. If it's an old address you no longer control, or one with weaker security, it's a backdoor into your main account.
Want a personalized plan that fits your devices, habits, and concerns?
Start the 90-second assessment