Author's Note: If not implemented properly, the steps below can potentially increase the likelihood that your Google account is compromised. Only a minimum number of trusted individuals should be added to your account recovery process with these steps.
Recently, our team was locked out of a Google account and our access to the mobile phone number used for account recovery was not immediately available. This situation is one we have run into occasionally, with the most recent occurrence being particularly
The solution to this problem was to use a virtual phone number as the mobile recovery phone number and then combine that with some workflow automation. We did that using Twilio which allowed us to trigger some automation in the event a text message
comes through. In this case, we created a rule to forward the text message (via SendGrid) to an internal email distribution list, allowing more than one administrator to receive the locked account recovery information.
Here are the details of the situation and the workaround we implemented.
Our team uses various Google accounts to manage different services.
We use LastPass to share credentials securely with the right people on our team.
At any given time, someone on staff might be working from the office or remotely.
Accessing the same Google account from two different physical locations within a short time frame will trigger a security lock of that account.
Account recovery requires access to a mobile phone number belonging to one of the partners at our agency – someone often busy and unavailable.
The account remains locked and critically blocks staff from getting work done.
Use Twilio (a great digital communications platform we have used in apps and website projects many times before).
Acquire a new phone number and ensure you allow that number to receive text messages.
Create a function in Twilio that will run when a text message is sent to that new phone number.
The rule needs to copy the text message to SendGrid.
SendGrid is then configured to send that text to an email address.
Outside of Twilio get your system administrator to create the email address as a group or distribution list.
Include the authorized individuals on that distribution list.
You can test your solution by using your own mobile phone to text a message to the new mobile phone number. Then, ensure that those authorized individuals on the distribution list received that text message as an email. It should happen in a few
short moments, if not almost immediately.