What hapens when you go through the account reset flow?

A friend recently contacted me about an account they were trying to recover. The first thing they said was “Can you hack a gmail account?”😂 I wanted to write about this in case it helps others that have had this experience or know of someone who has. The long story short was that their phone broke, and they were trying to set up a new phone. The credentials to the account were forgotten and they couldn’t finish setting it up. The questions I asked to help were

• Did they have a recovery email or phone number?
• Did they try to reset the password?
• What happens when you go through the account reset flow?
  

This led to knowing that there wasn’t any recovery email or phone number, and resetting it would have to be done another way. I tested this flow myself by choosing “forgot password” and it sent me a mobile prompt to verify it was me. When they tried to go through the same “forgot password” flow it sent a recovery code, but it went to the broken phone, adding another fork to the road to recovery.

From here, I verified there was the option of recovery without knowing the password or having a recovery email/phone number. There is the option of resetting by typing the last password you remember and verifying your identity through some security questions.

In the end, after some shenanigans they got access to their account.

Remember that Security and engineering is a lot about minimizing the problem. No one has all the answers, the key is knowing what questions to ask and where to look.