A friend lost access to their Google account recently. The hacker stole the phone and then changed password and recovery options on the email account.

While PM uses password to prevent recovery option changes, I felt it would also be prudent to prevent recovery option changes for some hours. This proposal aims to prevents recovery hijack (email and phone) after phone theft or unauthorised access and also prevents a user who knows your account password from changing recovery options without authorisation.

Proposed idea;

• Delay recovery email change for 8 hours.
• Delay recovery phone change for 8 hours.

Alternatively allow account holder to use old recovery email options for up to 72hrs, in the event that recovery option was changed without permission