How Your Email Recovery Options Can Become a Privacy Backdoor

Email recovery systems designed to help you regain account access have become a critical security vulnerability. Attackers routinely bypass strong passwords and multi-factor authentication by exploiting recovery options like security questions and phone numbers, creating a dangerous backdoor into your most sensitive accounts.

Published on
Last updated on
+15 min read
Michael Bodekaer

Founder, Board Member

Oliver Jackson
Reviewer

Email Marketing Specialist

Abraham Ranardo Sumarsono
Tester

Full Stack Engineer

Authored By Michael Bodekaer Founder, Board Member

Michael Bodekaer is a recognized authority in email management and productivity solutions, with over a decade of experience in simplifying communication workflows for individuals and businesses. As the co-founder of Mailbird and a TED speaker, Michael has been at the forefront of developing tools that revolutionize how users manage multiple email accounts. His insights have been featured in leading publications like TechRadar, and he is passionate about helping professionals adopt innovative solutions like unified inboxes, app integrations, and productivity-enhancing features to optimize their daily routines.

Reviewed By Oliver Jackson Email Marketing Specialist

Oliver is an accomplished email marketing specialist with more than a decade's worth of experience. His strategic and creative approach to email campaigns has driven significant growth and engagement for businesses across diverse industries. A thought leader in his field, Oliver is known for his insightful webinars and guest posts, where he shares his expert knowledge. His unique blend of skill, creativity, and understanding of audience dynamics make him a standout in the realm of email marketing.

Tested By Abraham Ranardo Sumarsono Full Stack Engineer

Abraham Ranardo Sumarsono is a Full Stack Engineer at Mailbird, where he focuses on building reliable, user-friendly, and scalable solutions that enhance the email experience for thousands of users worldwide. With expertise in C# and .NET, he contributes across both front-end and back-end development, ensuring performance, security, and usability.

How Your Email Recovery Options Can Become a Privacy Backdoor
How Your Email Recovery Options Can Become a Privacy Backdoor

If you've ever set up a recovery email address or security questions for your email account, you might think you're making your digital life more secure. The reality is far more troubling: the very mechanisms designed to help you regain access to your accounts have become one of the most exploited vulnerabilities in modern cybersecurity. Every day, attackers bypass sophisticated security measures not by cracking passwords or breaking encryption, but by exploiting the recovery options you set up to protect yourself.

This isn't a theoretical concern. In March 2025, a California arbitrator ordered T-Mobile to pay $33 million after attackers used a SIM swap to bypass recovery protections and steal approximately $38 million in cryptocurrency from a customer's wallet. The attackers didn't hack the victim's password—they simply convinced a call center agent to issue a remote eSIM, gaining control of the phone number used for account recovery.

If you're concerned about your email security, you're right to be worried. This comprehensive guide examines how email recovery mechanisms create dangerous security backdoors, why even multi-factor authentication can't always protect you, and what you can do to secure your accounts without locking yourself out permanently.

The Fundamental Problem with Email Recovery Systems

The Fundamental Problem with Email Recovery Systems
The Fundamental Problem with Email Recovery Systems

Email recovery mechanisms exist to solve a critical problem: helping you regain access when you forget your password or lose your authentication device. But here's the paradox that security experts have struggled with for years: any recovery system must be easier to use than your primary security, which automatically makes it the weakest link in your account protection.

Think about it logically. If your recovery method required the same level of security as your primary password and multi-factor authentication, you'd use it as your main login method instead. This creates an impossible situation where the backup system designed to help you becomes the path attackers take to compromise your account.

Why Your Email Account Is the Master Key

The problem becomes exponentially worse when you understand that your email account isn't just one account among many—it's the root of trust for your entire digital identity. According to OWASP's comprehensive security guidelines, email has evolved to serve multiple critical functions simultaneously: communication channel, backup authentication method, password reset destination, and central identity proof.

When attackers compromise your email account, they don't just read your messages. They gain the ability to reset passwords for every online account linked to that email address—your banking, social media, cloud storage, work accounts, and more. Email compromise is not a single account takeover; it's a complete digital identity theft.

The situation is further complicated by how recovery mechanisms often bypass your security measures entirely. If you've enabled multi-factor authentication on your email account, many recovery systems don't require that second factor. Research from Transmit Security demonstrates that attackers specifically target recovery mechanisms because they provide a direct path around the MFA protection you've carefully implemented.

How Attackers Exploit Your Recovery Options

Hacker exploiting email recovery options to gain unauthorized account access
Hacker exploiting email recovery options to gain unauthorized account access

Understanding how criminals target recovery mechanisms helps you recognize and defend against these attacks. Modern account takeover attacks follow predictable patterns that exploit weaknesses in how recovery systems are designed and implemented.

The Multi-Stage Attack Chain

Contemporary attackers don't waste time trying to guess your password. Instead, they focus on your recovery options because the success rate is dramatically higher and the attacks require less technical sophistication. The attack typically progresses through several stages:

Information Gathering: Attackers start by collecting publicly available information about you from LinkedIn, Facebook, Twitter, and other social media platforms. They're looking for details that might answer security questions or help them impersonate you to customer service representatives.

Recovery Mechanism Identification: Next, they identify which recovery options are available for your account. Many services helpfully display partial information about recovery email addresses or phone numbers during the password reset process, giving attackers confirmation of their targets.

Social Engineering: Armed with personal information, attackers contact help desks or customer service representatives, using the details they've gathered to convince staff they're the legitimate account owner. Palo Alto Networks' 2025 Global Incident Response Report documented one case where an attacker progressed from initial access to domain administrator rights in under forty minutes by targeting the MFA reset process through help desk deception.

Password Reset Poisoning: The Technical Attack

One of the most dangerous technical vulnerabilities is password reset poisoning, where attackers manipulate vulnerable websites into generating reset links that point to attacker-controlled domains. According to PortSwigger's Web Security Academy, this attack works by intercepting the HTTP request used to initiate a password reset and modifying the Host header.

When the application naively uses this modified header to construct the password reset URL, the reset link points to the attacker's server instead of the legitimate service. You receive what appears to be a legitimate reset email, click the link, and unknowingly send your password reset token directly to the attacker. They then use this token to reset your password on the actual service.

The vulnerability has been documented since 2013, yet it remains common in many web applications because developers fail to properly validate the Host header when constructing password reset URLs.

SIM Swapping: When Your Phone Number Becomes the Weakness

If you use your phone number as a recovery option—and millions of people do because it seems convenient—you're vulnerable to SIM swapping attacks. In these attacks, criminals contact your mobile carrier and convince a customer service representative to transfer your phone number to a SIM card they control.

The March 2025 T-Mobile case mentioned earlier demonstrates how devastating these attacks can be. The attackers bypassed T-Mobile's "NOPORT" security flag—specifically designed to prevent SIM swaps—by convincing a call center agent to issue a remote eSIM QR code. Even security measures explicitly designed to prevent SIM swaps can be defeated through social engineering.

Once attackers control your phone number, they receive all SMS messages intended for you, including one-time password codes, password reset links, and MFA verification codes. According to CSO Online's analysis of SMS security risks, NIST guidelines now explicitly recommend against using SMS-based MFA and recovery mechanisms, yet SMS remains the most commonly deployed recovery method.

The Privacy Implications You Haven't Considered

Privacy concerns and data exposure risks from email recovery settings
Privacy concerns and data exposure risks from email recovery settings

Beyond the security vulnerabilities, email recovery options create substantial privacy concerns that most users never consider when setting them up. The information you provide for account recovery doesn't just sit dormant until you need it—it creates ongoing privacy exposures.

Security Questions Expose Personal Information

Knowledge-based authentication systems—commonly known as security questions—ask you to provide answers about personal information like your mother's maiden name, childhood pet name, or the street where you grew up. The problem is that these answers are frequently publicly available information.

Your mother's maiden name can often be discovered through genealogy websites, public records, and social media research. The street where you grew up might be mentioned in old social media posts or school yearbooks. Pet names appear in social media photos with captions. Ping Identity's analysis of knowledge-based authentication shows that attackers can often answer these "secret" questions through basic online research, rendering the security question system largely ineffective.

Even worse, when services store these answers in their databases, they create a data exposure vulnerability. If the service is breached, attackers gain access to both the questions and answers for every account in the system. Unlike passwords, which should be hashed and salted, security question answers are often stored in ways that enable comparison, making them vulnerable to theft.

Outdated Recovery Email Addresses Create Persistent Vulnerabilities

Users often set up recovery email addresses years ago and then forget to update them as circumstances change. A recovery email address registered at a former employer or using an account you no longer access may remain active in recovery systems indefinitely, creating a persistent vulnerability.

This problem is particularly acute in corporate environments. When you leave an organization, your corporate email account is typically disabled, but if you never updated the recovery email addresses associated with your personal accounts, a disgruntled former IT administrator who retained access to the corporate email system could potentially reset passwords for your personal accounts.

The recovery mechanism designed to help you regain access becomes a vector for former insiders to maintain access to accounts they previously controlled.

Metadata Exposure and Behavioral Tracking

Every time you request a password reset link or MFA code, you create a record of when you forgot your password, what device you're using, and where you're located. This metadata reveals behavioral patterns that can be analyzed to understand your vulnerabilities and identify optimal times for attacks.

Additionally, when services send notifications about unauthorized recovery attempts—which you're encouraged to enable for security—these notifications themselves create privacy concerns. If your recovery email address has been compromised, the attacker sees all the notifications about recovery attempts, providing them with information about how you're trying to regain access.

How Mailbird's Architecture Affects Email Recovery Security

How Mailbird's Architecture Affects Email Recovery Security
How Mailbird's Architecture Affects Email Recovery Security

If you're using Mailbird as your email client, you need to understand how its architecture impacts your recovery security. Mailbird implements a fundamentally different approach compared to cloud-based email services, which creates both advantages and unique considerations for account recovery.

Local Storage Model: What It Means for Your Security

Unlike cloud-based email services that store your messages on their servers, Mailbird stores email data locally on your computer. This architectural choice means that Mailbird itself cannot access your emails, and breaches of Mailbird's infrastructure cannot expose your email content.

However, this advantage doesn't eliminate the vulnerabilities of underlying email recovery mechanisms. When you configure email accounts in Mailbird, you connect the application to your email provider using OAuth 2.0 authentication or legacy basic authentication methods. For OAuth-authenticated accounts, you authenticate through your email provider's login portal, where any MFA requirements are enforced before Mailbird receives access tokens.

The critical point to understand is this: Mailbird cannot help you recover accounts because Mailbird doesn't maintain your passwords or authentication credentials. If you forget your Gmail password and cannot access your Gmail account, you must use Google's account recovery process, which is vulnerable to all the recovery mechanism vulnerabilities we've discussed.

OAuth Authentication and Token Security

Mailbird's implementation of OAuth 2.0 authentication introduces a different category of security consideration. When Mailbird authenticates through OAuth, it receives access tokens that allow it to retrieve emails from your email provider. If these tokens are compromised through malware or unauthorized device access, attackers gain access to your email account without needing your password.

According to Mailbird's privacy configuration documentation, the application stores tokens securely on your local device and doesn't transmit them to Mailbird's servers. However, the tokens themselves become attack targets if your computer is compromised by malware or if local file system security is inadequate.

The recovery mechanism for this vulnerability is to revoke OAuth tokens through your email provider's account security settings. However, many users don't realize that resetting their email password doesn't invalidate existing OAuth tokens, leaving attackers with continued access even after a password change.

Multi-Factor Authentication Integration

Mailbird's integration with email provider MFA systems creates both security benefits and recovery challenges. When Mailbird authenticates through OAuth, MFA requirements are enforced at the email provider's authentication portal before Mailbird receives access tokens. This means you cannot access your accounts through Mailbird without completing MFA challenges.

However, this creates a recovery consideration: if you lose access to your MFA device and cannot complete the MFA challenge required by the OAuth authentication flow, you cannot add your email account to Mailbird until you recover access to your MFA device or use your email provider's account recovery process.

Mailbird itself doesn't provide MFA mechanisms—the application relies on your email provider's MFA implementation. You must enable MFA through your email provider and ensure you have reliable access to your second factor and backup recovery codes.

Best Practices for Securing Your Email Recovery Options

Best Practices for Securing Your Email Recovery Options
Best Practices for Securing Your Email Recovery Options

Understanding the vulnerabilities is only the first step. You need practical strategies to secure your recovery options without creating a situation where you lock yourself out of your own accounts. These recommendations are based on security best practices and current threat intelligence.

Implement Multiple Secure Recovery Methods

Rather than relying on a single recovery mechanism, implement multiple backup methods that work together. According to NIST's Digital Identity Guidelines (Special Publication 800-63B), the most secure recovery mechanisms implement identity verification services that verify government-issued identification documents and biometric data before issuing recovery credentials.

Recovery Email Addresses: Maintain a secure recovery email address that you control and monitor regularly. This should be a separate email account from your primary account, hosted with a different provider if possible. Verify that you still have access to this recovery email address at least quarterly.

Backup Codes: Generate and securely store backup codes during MFA setup. Unlike security questions, backup codes are randomly generated with high entropy, making them resistant to guessing or brute-force attacks. Store these codes in a password manager, encrypted storage, or offline location—never in email, cloud storage, or other easily compromised locations.

Hardware Security Keys: Consider using FIDO2-compliant hardware security keys as your primary MFA method. These physical devices are immune to phishing, SIM swapping, and remote attacks. Keep a backup security key in a secure location separate from your primary key.

Avoid Knowledge-Based Authentication

If your email provider offers alternatives to security questions, use them. Security questions have been explicitly rejected as acceptable recovery mechanisms by NIST and other authoritative security organizations, yet they remain in widespread use because of legacy system requirements.

If you must use security questions, provide answers that are difficult to research but that you'll remember. Rather than providing factual answers, consider providing answers that only you would know but that wouldn't appear in public records—such as the name of a childhood friend spelled in a specific way, or a personal memory that wouldn't be documented anywhere.

Monitor Your Accounts for Unauthorized Recovery Activity

Enable notifications about password reset requests, MFA changes, recovery email additions, and other account modifications. According to Huntress's comprehensive guide to account takeover prevention, these notifications provide early warning signals about unauthorized access attempts.

Review these notifications promptly. If you receive a password reset notification that you didn't request, immediately secure your account by changing your password, updating recovery information, and revoking OAuth tokens through your email provider's security settings.

Regularly Update and Verify Recovery Information

Set a calendar reminder to review your recovery information quarterly. Verify that:

  • You still have access to all recovery email addresses
  • Phone numbers used for recovery are current and under your control
  • Backup codes are stored securely and haven't been lost
  • Security keys are functional and accessible
  • Recovery information doesn't include outdated email addresses from former employers or institutions

This regular maintenance prevents situations where you discover your recovery information is outdated only when you desperately need it to regain account access.

Emerging Threats: AI-Powered Attacks and OAuth Exploitation

As security defenses improve, attackers evolve their techniques. Two emerging threat categories are particularly concerning for email recovery security: AI-powered social engineering and OAuth application exploitation.

Deepfakes and Voice Synthesis in Help Desk Attacks

Artificial intelligence has made it possible to create synthetic voices that are virtually indistinguishable from real people. Researchers have demonstrated that voice deepfakes require only three seconds of audio sample—easily obtained from LinkedIn videos, podcast appearances, or phishing calls—to create synthetic voices that can deceive help desk staff conducting voice-based identity verification.

This vulnerability is particularly severe because help desk staff are trained to be helpful and to assist users who sound authentic and provide personal information. An attacker with a synthetic voice combined with publicly available personal information can convince help desk staff to reset MFA credentials or modify recovery email addresses.

Rogue OAuth Applications

A increasingly critical vulnerability has emerged through the exploitation of OAuth applications. According to Mitiga's analysis of OAuth security risks, attackers use rogue OAuth applications to compromise email accounts by tricking users into granting permissions to malicious applications.

In one documented incident, attackers used a rogue OAuth application to gain access to Microsoft Graph API, which allowed them to search and extract email contents, including AWS access keys. The attackers then used these credentials to perform reconnaissance in cloud environments and ultimately gained full infrastructure takeover.

More recent attacks exploit the OAuth device authorization grant flow, where users are provided with device codes and directed to verification pages. Proofpoint's threat intelligence team documented how attackers weaponize this flow by providing users with device codes through phishing emails, claiming they represent OTP verification or MFA setup. When users enter these codes into legitimate provider verification pages, they unknowingly grant the attacker's application access to their email accounts.

Defending Against Advanced Attacks

Protecting yourself against these emerging threats requires additional vigilance:

Review OAuth Permissions Regularly: Periodically audit which applications have access to your email accounts. Revoke permissions for applications you no longer use or don't recognize. Both Gmail and Outlook provide security settings where you can view and manage connected applications.

Verify Authorization Requests: When you're asked to authorize an application, carefully verify that you initiated the authorization request and that the application is legitimate. Be particularly suspicious of unexpected authorization requests that arrive via email or text message.

Implement Help Desk Verification Procedures: If you manage accounts for an organization, implement strict verification procedures for help desk-assisted recovery. Require multiple verification factors and document all recovery requests for security review.

The Future of Account Recovery: Passwordless Authentication

The security research community increasingly recognizes that email-based password recovery mechanisms are fundamentally inadequate for modern security threats. The long-term solution requires transitioning away from password-based authentication entirely.

Passkeys and FIDO2 Authentication

Passwordless authentication approaches, such as FIDO2-compliant passkeys, eliminate the need for password recovery by replacing passwords with cryptographic key pairs stored on your devices. According to Twilio's best practices for multi-factor authentication account recovery, passkeys represent a substantial improvement in both security and recovery flexibility.

Rather than relying on passwords you must remember and can forget, passkeys use biometric authentication (fingerprint or face recognition) to verify your identity and cryptographic keys to authenticate to services. Recovery is simplified because you don't need to remember or reset passwords—you simply verify your identity using biometrics on your device.

However, passkeys introduce new recovery considerations. If you lose or upgrade your device without properly syncing your passkeys to a backup service, you must have an alternative recovery mechanism to regain access to your accounts. Major platforms like Apple, Google, and Microsoft are implementing passkey synchronization across devices to address this challenge.

Advanced Identity Verification Services

Emerging account recovery solutions implement comprehensive identity verification processes that substantially reduce vulnerability windows. Microsoft Entra ID Account Recovery, for example, uses third-party identity verification providers to verify government-issued identification documents and biometric data before allowing account recovery.

Once identity is verified, users receive temporary access credentials that require them to re-enroll in MFA before gaining full account access. This approach ensures that recovered accounts cannot be immediately used by attackers; instead, attackers would need to complete identity verification and biometric authentication.

These advanced recovery solutions require implementation at the identity provider level—email providers like Microsoft, Google, and others must implement comprehensive identity verification for account recovery. Individual email clients cannot implement these approaches independently, as recovery necessarily occurs at the email provider level.

Your Practical Action Plan for Securing Email Recovery

Understanding the vulnerabilities is important, but you need actionable steps you can implement today. Here's a prioritized action plan for securing your email recovery options:

Immediate Actions (Complete Within 24 Hours)

1. Verify Your Recovery Information: Log into your primary email account and review all recovery email addresses and phone numbers. Remove any outdated information, particularly email addresses from former employers or phone numbers you no longer control.

2. Enable Multi-Factor Authentication: If you haven't already, enable MFA on all email accounts. Use app-based authenticators or hardware security keys rather than SMS-based MFA, which is vulnerable to SIM swapping attacks.

3. Generate and Store Backup Codes: Generate backup codes for your MFA setup and store them in a password manager or encrypted storage. Never store backup codes in email or cloud storage.

Short-Term Actions (Complete Within One Week)

4. Review OAuth Permissions: Audit which applications have access to your email accounts. Revoke permissions for applications you don't recognize or no longer use. In Gmail, go to "Security" → "Third-party apps with account access." In Outlook, go to "Account" → "Privacy" → "Apps and services."

5. Set Up Mailbird with Secure Authentication: If you're using Mailbird, ensure all email accounts are configured using OAuth 2.0 authentication rather than basic authentication. This ensures MFA requirements are enforced and passwords aren't stored in the application.

6. Enable Security Notifications: Configure your email accounts to send notifications about password reset requests, MFA changes, and recovery email modifications. Review these notifications promptly.

Ongoing Maintenance (Quarterly Review)

7. Quarterly Recovery Information Audit: Set a calendar reminder to review recovery information every three months. Verify you still have access to recovery email addresses, test backup codes, and ensure phone numbers are current.

8. Monitor for Unauthorized Activity: Regularly review account activity logs for suspicious login attempts or recovery requests from unusual locations.

9. Stay Informed About Emerging Threats: Follow security news and updates from your email provider to stay informed about new attack techniques and recommended defenses.

Frequently Asked Questions

What should I do if I've already lost access to my recovery email address?

If you've lost access to your recovery email address but still have access to your primary account, immediately update your recovery information. Log into your email account, go to security settings, and add a new recovery email address that you currently control. Remove the outdated recovery email address once the new one is verified. If you've already lost access to your primary account and cannot access the recovery email, you'll need to use your email provider's account recovery process, which may involve identity verification through government-issued ID, answering security questions, or contacting customer support with proof of account ownership.

Is SMS-based two-factor authentication really that insecure for email recovery?

Yes, SMS-based MFA is significantly less secure than app-based authenticators or hardware security keys. According to NIST guidelines and security research, SMS-based MFA is vulnerable to SIM swapping attacks where criminals convince mobile carriers to transfer your phone number to a device they control. The March 2025 T-Mobile case, where attackers stole $38 million in cryptocurrency through a SIM swap, demonstrates how serious this vulnerability is. App-based authenticators like Google Authenticator or Microsoft Authenticator generate codes on your device without depending on cellular networks, making them immune to SIM swapping. Hardware security keys provide even stronger protection because they're physical devices that cannot be remotely compromised.

How does Mailbird's local storage model affect my email recovery security?

Mailbird's local storage architecture means your email data is stored on your computer rather than on Mailbird's servers, which provides privacy benefits because Mailbird cannot access your emails and breaches of Mailbird's infrastructure cannot expose your email content. However, this architecture doesn't protect you from email provider-level recovery vulnerabilities. When you forget your Gmail or Outlook password, you must use Google's or Microsoft's account recovery process—Mailbird cannot help you recover access because it doesn't maintain your passwords. Mailbird uses OAuth 2.0 authentication, which means your email provider's MFA requirements are enforced before Mailbird receives access tokens. The security of your email recovery depends entirely on your email provider's recovery mechanisms, not on Mailbird itself.

What are backup codes and why are they more secure than security questions?

Backup codes are randomly generated strings of characters that you receive when you set up multi-factor authentication. Unlike security questions whose answers might be publicly available or researchable (like your mother's maiden name or childhood street), backup codes are generated with high cryptographic entropy, making them impossible to guess or brute-force. Each backup code typically works only once, and they're generated by the service rather than based on personal information you provide. The security of backup codes depends entirely on how you store them—they should be kept in a password manager, encrypted storage, or offline location, never in email or cloud storage where they could be compromised along with your account. Research shows that backup codes provide substantially stronger account recovery security than knowledge-based authentication.

How can I protect myself from OAuth application attacks targeting my email?

OAuth application attacks exploit the authorization process where you grant applications permission to access your email account. To protect yourself, regularly audit which applications have access to your email by reviewing your account's security settings—in Gmail, check "Security" → "Third-party apps with account access"; in Outlook, check "Account" → "Privacy" → "Apps and services." Revoke permissions for applications you don't recognize or no longer use. Be extremely cautious when authorizing new applications, especially if the authorization request arrives unexpectedly via email or text message. Legitimate authorization requests should occur when you're actively trying to connect an application to your email account. According to Proofpoint's threat intelligence, attackers are increasingly using device code authorization flows where they provide you with codes to enter on legitimate provider verification pages, so verify that you initiated any authorization request before entering codes.

Should I use a password manager to store my email recovery information?

Yes, a reputable password manager is one of the most secure ways to store recovery information like backup codes, recovery email addresses, and security key serial numbers. Password managers use strong encryption to protect stored data and typically include features like secure sharing, emergency access, and cross-device synchronization. However, you should never store your email password and all recovery information in the same location—this creates a single point of failure. Consider using a password manager for backup codes and day-to-day credentials, but store at least one recovery method separately (such as a hardware security key kept in a secure physical location). This ensures that if your password manager is compromised or you lose access to it, you still have an independent recovery path for your email account.

What's the difference between a recovery email and a forwarding email address?

A recovery email address is used solely for account recovery purposes—it's where password reset links and account verification codes are sent when you need to regain access to your primary account. A forwarding email address automatically redirects copies of emails from one account to another. These serve completely different purposes and have different security implications. Your recovery email should be a separate account that you control and monitor regularly, ideally hosted with a different provider than your primary email for redundancy. A forwarding address creates security risks because it automatically sends copies of all your emails to another location, potentially exposing sensitive information if the forwarding destination is compromised. Never use the same email address for both recovery and forwarding, and ensure your recovery email address is as secure as your primary account with its own strong password and MFA protection.