account-lockout-resilience-password-manager-email-passkeys-playbook-handoff_2026-03-18

Account Lockout Resilience, Password Manager, Email, and Passkeys Playbook + AI Handoff

Research-grade extraction and improved playbook based on the discussion about Bitwarden, Gmail/Google lockout risk, Zoho-based recovery, passkeys, and anti-lockout identity architecture
Date: 2026-03-18
Prepared for: Dmitri
Document type: Guide / playbook / briefing memo / handoff artifact for another AI

---

Executive Summary

This discussion centered on one practical problem: how to build an identity, email, and password-manager setup that is both highly secure and recoverable for a professional with a public-facing personal brand.

The most important conclusion is:

1. Do not leave the password manager dependent on email-based second-factor or recovery paths, especially when that email is itself a crown-jewel account.

   • Status: Verified + derived conclusion
   • Bitwarden supports stronger second-factor methods such as FIDO2/WebAuthn, including hardware security keys and platform authenticators. Bitwarden also requires users to proactively save recovery codes outside the vault.
   • Source: Bitwarden Help Center, “Passkey Two-Step Login,” “Recovery Code for Two-Step Login,” “Can’t Access Two-Step Login.”

2. Do not “solve” lockout risk merely by switching root logins from Gmail to Zoho.

   • Status: Assistant-derived conclusion from verified facts
   • Moving to Zoho can improve provider diversity, but only if the entire recovery chain is independent. A custom-domain mailbox is not a true fallback if the same registrar, DNS account, admin account, or billing dependency can also fail.

3. Use phishing-resistant authentication for crown-jewel accounts.

   • Status: Verified
   • Google, CISA, FIDO, and NIST all support phishing-resistant approaches such as passkeys / security keys / FIDO2-based authentication over weaker methods like SMS or email codes.
   • Sources: Google Account Help, CISA MFA guidance, NIST SP 800-63B, FIDO Alliance.

4. Recovery architecture matters as much as authentication architecture.

   • Status: Verified + derived conclusion
   • Google explicitly recommends recovery information that is different from the sign-in address, and Google Workspace documentation explicitly describes a secondary/recovery email as an address outside the domain used for the account. NIST warns that syncable authenticator ecosystems introduce recovery-path risk that must be managed.
   • Sources: Google Account Help, Google Workspace Knowledge Base, NIST.

5. A proper anti-lockout design for a founder / consultant / security-conscious professional should include:

   • a password manager secured by FIDO2/WebAuthn, not email;
   • at least two hardware security keys for crown-jewel accounts;
   • an independent recovery mailbox/provider;
   • offline recovery codes and an offline break-glass kit;
   • separate admin-only and day-to-day identities;
   • carrier-account protections against SIM swap / port-out abuse.
   • Status: Mixed: partly verified, partly assistant-derived best practice.

---

Purpose of This Document

This document is designed to:

• extract the most important points from the discussion;
• verify material claims against official or otherwise high-quality sources where possible;
• clearly distinguish verified facts from user statements, assistant conclusions, and speculation;
• turn the discussion into an operational playbook that can be used by Dmitri or handed to another AI without needing the original conversation;
• identify important missing considerations that logically belong in a complete anti-lockout / account-resilience strategy.

This is not just a recap. It is an improved, structured, and source-backed version of the discussion.

---

Discussion Context

What the user asked about

The user asked for best practices for professionals with a professional personal brand and security awareness, especially around:

• email and password-manager login architecture;
• Bitwarden using email-linked second-factor / recovery that may depend on Gmail;
• fear of being locked out of Gmail or Google by risk systems or account decisions;
• whether a separate Zoho-hosted mailbox on sage.me should become the identity anchor or recovery plane;
• where passkeys fit into the design;
• how to avoid circular dependency / “chicken-and-egg” lockout scenarios;
• how to advise other people or clients so they do not get locked out.

Important user-stated facts

Point	Evidence status	Notes
User has Bitwarden.	User-stated	Not independently verified in this artifact.
User is concerned Bitwarden depends on email to Gmail for access or recovery, creating a circular dependency.	User-stated	This is the core problem statement.
User has a separate domain and email hosting through Zoho for sage.me.	User-stated	Not independently verified in this artifact.
User is considering whether key logins should use the Zoho-hosted identity instead of Gmail.	User-stated	Strategic question, not yet a decision.
User wants a complete guide for both personal use and client advice.	User-stated	This shaped the playbook sections below.

Scope and constraints

• This artifact focuses on identity resilience / anti-lockout architecture, not general password hygiene alone.
• The document uses current public vendor/security guidance available as of 2026-03-18.
• Some recommendations are design judgments derived from verified facts; those are labeled accordingly.

---

Evidence Legend

• Verified — Supported directly by a cited source.
• User-stated — Said by the user in the discussion; not independently verified here.
• Assistant-stated but unverified — Present in the discussion but not fully verified from authoritative sources during this pass.
• Tentative / speculative — A hypothesis, design option, or inference that may be reasonable but is not established fact.

---

Key Facts and Verified Findings

1) Bitwarden supports stronger second-factor methods than email

• Point: Bitwarden supports FIDO2/WebAuthn two-step login for all users, including security keys and some platform authenticators such as Windows Hello.
• Status: Verified
• Why it matters: The user’s current concern is specifically about Bitwarden relying on email. Bitwarden supports stronger options that reduce this dependency.
• Evidence: Bitwarden Help Center states that FIDO2 WebAuthn two-step login is available to free users and supports certified credentials such as YubiKeys, SoloKeys, Nitrokeys, and some native biometrics.
• Reference: Bitwarden Help — Passkey Two-Step Login

2) Bitwarden email-based two-step login exists and can create circular dependency risk

• Point: Bitwarden offers email-based two-step login, sending verification codes to a configured email address.
• Status: Verified
• Why it matters: If that mailbox is itself a root account or may become inaccessible, the lockout risk becomes circular.
• Evidence: Bitwarden Help Center describes configuring email as a two-step login method.
• Reference: Bitwarden Help — Email Two-Step Login

3) Bitwarden recovery codes must be proactively saved outside the vault

• Point: Bitwarden recovery codes are generated when two-step login is set up; Bitwarden cannot retrieve them later on the user’s behalf; after a recovery code is used, a new one is generated and must be saved again.
• Status: Verified
• Why it matters: This is a critical anti-lockout measure and an easy place to fail operationally.
• Evidence: Bitwarden documentation states recovery codes must be saved outside the vault and change after use.
• References:
  • Bitwarden Help — Recovery Code for Two-Step Login
  • Bitwarden Help — Can’t Access Two-Step Login

4) Bitwarden supports encrypted exports, including password-protected encrypted JSON

• Point: Bitwarden supports encrypted vault exports, including password-protected exports that are portable to another Bitwarden account.
• Status: Verified
• Why it matters: A tested offline backup/export materially improves recovery options if account login becomes impossible.
• Evidence: Bitwarden documentation distinguishes “account restricted” and “password protected” encrypted export types and notes account-restricted exports can become unusable if the account encryption key rotates.
• References:
  • Bitwarden Help — Encrypted Exports
  • Bitwarden Help — Export Vault Data

5) Bitwarden Emergency Access exists, but it is a premium feature

• Point: Emergency Access allows trusted contacts to request View or Takeover access to a Bitwarden vault, with a configurable wait time.
• Status: Verified
• Why it matters: This can reduce catastrophic lockout risk, but it introduces trust and governance risk.
• Evidence: Bitwarden Help documents Emergency Access mechanics; Bitwarden pricing/FAQ indicate the feature is available on Premium / Families, not Free.
• References:
  • Bitwarden Help — Emergency Access
  • Bitwarden Pricing
  • Bitwarden Help — Product FAQs

6) Google explicitly supports passkeys and describes them as more phishing-resistant than passwords

• Point: Google supports passkeys for Google Accounts and says passkeys are more secure against phishing because they cannot be shared, copied, or casually handed over like passwords.
• Status: Verified
• Why it matters: This supports moving crown-jewel Google accounts toward passkeys/security keys.
• Evidence: Google Account Help page on passkeys.
• Reference: Google Account Help — Sign in with a passkey instead of a password

7) Google Advanced Protection requires passkeys or security keys

• Point: Google’s Advanced Protection Program requires passkeys or security keys and is positioned as Google’s strongest account protection option.
• Status: Verified
• Why it matters: For a founder, security consultant, or high-value target, this is directly relevant.
• Evidence: Google support documentation states Advanced Protection requires passkeys or security keys.
• References:
  • Google Account Help — Get Google’s strongest account security with Advanced Protection
  • Google Account Help — Common questions with Advanced Protection Program

8) Google supports backup codes for account access if the normal second step is unavailable

• Point: Google backup codes can be generated for use when the user loses normal second-step access.
• Status: Verified
• Why it matters: Backup codes are a simple but essential anti-lockout fallback.
• Evidence: Google Account Help documentation on backup codes.
• Reference: Google Account Help — Sign in with backup codes

9) Google says recovery email should be different from the sign-in address

• Point: Google instructs users to choose a recovery email address that is different from the one used to sign in.
• Status: Verified
• Why it matters: This directly supports the “independent recovery plane” concept.
• Evidence: Google recovery help pages.
• References:
  • Google Account Help — Set up recovery options
  • Google Account Help — Avoid getting locked out of your Google Account

10) Google Workspace explicitly defines the secondary/recovery email as outside the domain used for the account

• Point: Google Workspace documentation defines the secondary/recovery email used for support/account-recovery purposes as an email address outside the domain used for the account.
• Status: Verified
• Why it matters: This is one of the strongest official supports for provider/domain separation in recovery architecture.
• Evidence: Google Workspace Knowledge Base article on account recovery information for support.
• References:
  • Google Workspace Knowledge Base — Account recovery information for Support
  • Google Workspace Knowledge Base — Add recovery information for admins & users

11) Google recommends multiple super admins and not using a super admin account for daily work

• Point: Google recommends more than one super admin account and says super admin accounts should not be used for daily activities.
• Status: Verified
• Why it matters: This validates the admin-only vs day-to-day identity split.
• Evidence: Google Workspace admin best-practice guidance.
• Reference: Google Workspace Admin Help — Security best practices for administrator accounts

12) Google warns not to use Google Voice for Google verification codes

• Point: Google explicitly warns that if you use Google Voice to receive verification codes, you can lock yourself out of your account.
• Status: Verified
• Why it matters: This is a concrete example of a self-referential recovery loop.
• Evidence: Google support page on common 2-Step Verification issues.
• Reference: Google Account Help — Fix common issues with 2-Step Verification

13) Google account recovery and some sensitive actions can be delayed after auth/recovery changes

• Point: Google states that some changes to recovery or authentication factors can take up to 7 days to take effect, and account recovery can be delayed by hours or days.
• Status: Verified
• Why it matters: Important operational caveat: do not make critical auth changes immediately before travel, a launch, or an expected risky period.
• Evidence: Google account recovery/help pages.
• References:
  • Google Account Help — How to recover your Google Account or Gmail
  • Google Account Help — Why your account recovery request is delayed
  • Google Account Help — Verify it’s you when you complete a sensitive action

14) NIST, CISA, and FIDO support phishing-resistant authentication and warn about recovery-path weaknesses

• Point: NIST recognizes phishing-resistant authenticators such as FIDO2/WebAuthn. CISA urges phishing-resistant MFA where possible. FIDO explains passkeys as phishing-resistant, domain-bound credentials. NIST also notes that synced/cloud-backed authenticators shift risk into the cloud recovery/sync fabric and require proper recovery controls.
• Status: Verified
• Why it matters: This is the standards-level backing for using passkeys/security keys while still treating recovery as a first-class design problem.
• Evidence: NIST SP 800-63B pages and supplement, CISA MFA guidance, FIDO Alliance materials.
• References:
  • NIST SP 800-63B
  • NIST SP 800-63B Supplement 1 — Incorporating Syncable Authenticators
  • NIST — Syncable Authenticators
  • CISA — Require Multifactor Authentication
  • FIDO Alliance — Passkeys
  • FIDO Alliance — How Passkeys Work

15) Zoho supports MFA backup codes and administrative/user recovery paths

• Point: Zoho supports MFA backup verification codes, recovery methods, and admin-assisted recovery flows.
• Status: Verified
• Why it matters: This means Zoho can credibly serve as part of an independent recovery plane if set up correctly.
• Evidence: Zoho Accounts / Zoho Mail / Zoho One help documents.
• References:
  • Zoho Accounts — Backup Verification Codes
  • Zoho Accounts — Recover your Zoho account
  • Zoho OneAuth — Recover OneAuth account
  • Zoho Mail Admin — Two-factor Authentication
  • Zoho Mail Admin — Password Reset

16) Phone-number-based recovery is vulnerable to SIM swap / port-out abuse; carriers should have account PINs and, where available, port-out locks

• Point: FCC/CISA materials describe SIM swap and port-out fraud risk; FCC consumer guidance recommends proactively adding a PIN or password with the phone company to verify identity when calling about the phone account.
• Status: Verified
• Why it matters: Phone numbers are commonly used in recovery flows, so carrier-account security becomes part of the identity stack.
• Evidence: FCC consumer guidance and CISA materials.
• References:
  • FCC — Port-Out Fraud Targets Your Private Accounts
  • CISA — Implementing Phishing-Resistant MFA (fact sheet)

---

Major Decisions and Conclusions

Conclusion	Evidence status	Basis
Replace Bitwarden email-based second factor with FIDO2/WebAuthn.	Assistant conclusion derived from verified facts	Bitwarden supports stronger non-email methods; email-based methods create circular recovery risk.
Keep at least two hardware security keys for crown-jewel accounts.	Assistant conclusion derived from verified facts	Google and Bitwarden support security keys; redundancy is necessary to avoid single-point lockout.
Treat Gmail/Google, Bitwarden, registrar, DNS, carrier account, and recovery mailbox as crown-jewel accounts.	Assistant-stated but unverified	Strong best practice, but not directly stated in one single source in this exact form.
Do not simply move all key logins from Gmail to Zoho and assume the problem is solved.	Assistant conclusion derived from verified facts	Provider diversity only helps when recovery and admin dependencies are truly independent.
Use a recovery mailbox outside the primary account domain/provider.	Verified + assistant conclusion	Google guidance explicitly supports separate recovery addresses and Workspace secondary email outside the domain used for the account.
Separate daily-use identities from admin/root identities.	Verified + assistant conclusion	Google recommends not using super admin for day-to-day work and having multiple super admins.
Maintain offline recovery codes and an offline break-glass kit.	Verified + assistant conclusion	Both Google and Bitwarden rely on proactively saved backup/recovery material.
Consider Google Advanced Protection for the highest-risk Google account(s).	Verified recommendation	Google positions it as the strongest protection and requires passkeys/security keys.
Consider Bitwarden Emergency Access if the user wants a trusted-person recovery path.	Verified recommendation with caveat	Official feature exists, but it introduces trust/governance risks and requires Premium.
Run periodic recovery drills.	Assistant-stated but unverified	Strong operational best practice, but not tied here to one cited vendor requirement.

---

Reasoning, Tradeoffs, and Why It Matters

A. The real problem is not “strong authentication” alone — it is recoverable authentication

• Status: Assistant-derived framing
• A setup can be extremely secure on paper and still fail catastrophically if:
  • the password manager depends on email;
  • email depends on the password manager;
  • the custom-domain email depends on registrar/DNS/admin access that shares the same weak points;
  • the phone number used for recovery can be stolen via SIM swap / port-out attack.

B. Why switching from Gmail to Zoho is not automatically the answer

• Status: Assistant conclusion derived from verified facts
• Moving to Zoho improves provider diversity, which is good.
• But it only reduces lockout risk if all of the following are also true:
  • the Zoho admin path is separately protected;
  • the domain registrar and DNS accounts are strongly protected;
  • billing/renewal for the domain and mail account are not fragile;
  • the recovery email for Zoho is not the same Gmail account you are trying to get away from;
  • the password manager no longer depends on email in the first place.
• In other words: Zoho is potentially a good independent recovery plane, but only if it is actually independent.

C. Where passkeys fit

• Status: Verified + assistant interpretation
• Passkeys are useful because they are phishing-resistant and domain-bound.
• For high-value personal/business accounts:
  • syncable passkeys improve usability and cross-device recoverability;
  • device-bound hardware keys improve control and reduce dependence on the passkey-provider cloud account.
• NIST specifically notes that cloud-backed sync/recovery can become a weakness if the sync/recovery fabric is compromised or poorly managed.
• Practical takeaway:
  • use passkeys broadly where available;
  • use hardware security keys for the most critical accounts;
  • avoid letting a single sync provider become the only way back in.

D. Why the password manager must be treated as different from ordinary accounts

• Status: Assistant conclusion derived from verified facts
• Most accounts can survive a provider issue or reset.
• The password manager is different because it stores recovery and access paths for many other systems.
• Therefore the password manager should have:
  • the strongest practical second factor;
  • offline recovery material;
  • an offline export/backup plan;
  • optionally a trusted human recovery path.

E. Why admin accounts must be split from daily-use accounts

• Status: Verified + assistant interpretation
• Daily-use accounts face more browser sessions, app connections, phishing attempts, device loss, and risky sign-ins.
• Admin/root accounts should be:
  • rarely used;
  • protected with stronger authentication;
  • excluded from casual browsing/email workflows when possible.
• Google’s guidance strongly supports this model for Workspace admins.

F. Why carrier security matters

• Status: Verified + assistant interpretation
• Many “backup” flows use phone numbers.
• If the carrier account is weak, attackers can subvert otherwise decent MFA through port-out or SIM swap.
• This makes the mobile carrier account part of the root-of-trust stack.

---

Recommended Playbook / Process

1) Build an identity map first

Before changing anything, inventory the following:

Identity tiers

1. Root / crown-jewel accounts

   • primary personal email
   • primary business email admin account
   • password manager
   • domain registrar
   • DNS provider
   • Google Workspace or Microsoft/Apple root identity
   • mobile carrier account
   • banking / payment rails

2. Admin-only identities

   • Workspace super admin
   • Zoho super admin / org admin
   • registrar admin
   • DNS admin

3. Daily-use identities

   • main personal brand email
   • standard business user email
   • routine SaaS accounts

4. Recovery identities

   • independent recovery mailbox/provider
   • trusted recovery phone
   • offline break-glass materials
   • optional trusted human emergency contact

Output to produce: a one-page dependency map showing what each crown-jewel account relies on for login, MFA, recovery, and billing.

---

2) Password manager standard (Bitwarden-specific)

Target state

• Master password: strong, unique, memorized
• Second factor: FIDO2/WebAuthn, not email
• Redundancy: at least 2 hardware security keys
• Recovery code: stored outside the vault
• Backup: password-protected encrypted export
• Optional human recovery: Emergency Access with well-defined guardrails

Step-by-step

1. Confirm all current Bitwarden second-factor methods and whether email-based 2FA is enabled.

   • Status: Open question for the user.

2. Enable FIDO2/WebAuthn for Bitwarden.

   • Register primary hardware key.
   • Register backup hardware key.
   • If useful, also register a platform authenticator for convenience, but do not rely on it alone.

3. Retrieve and store the Bitwarden recovery code offline.

   • Print it or store it in a secure physical record.
   • Do not store the only copy inside Bitwarden.

4. Create a password-protected encrypted export.

   • Prefer password-protected encrypted JSON over account-restricted export if you want recovery flexibility across accounts.
   • Store the export offline (for example, encrypted removable media in a secure location).

5. If desired and acceptable:

   • set up Bitwarden Emergency Access for one trusted person;
   • use a meaningful wait timer;
   • decide whether “View” or “Takeover” is actually acceptable;
   • document the governance implications.

6. Test the flow in a clean browser:

   • new-device login;
   • hardware-key login;
   • recovery-code location check;
   • export readability / procedural validity.

Bitwarden-specific caveats

• Emergency Access is a premium feature.
• “Takeover” changes the account’s master password and disables two-step login on the account after takeover.
• Account-restricted exports can break if the account encryption key changes.
• Statuses: Verified

---

3) Google / Gmail / Google Workspace standard

Target state

• passkeys and/or security keys enabled;
• backup codes generated and stored offline;
• recovery email different from sign-in email;
• recovery phone secured and still reachable;
• admin account separated from daily account;
• optional Advanced Protection for the highest-risk account.

Step-by-step

1. Identify which Google account is which:

   • consumer Gmail?
   • Google Workspace user account?
   • Workspace super admin?
   • daily-use vs root/admin?

2. For the highest-value Google account:

   • enable passkeys;
   • add one or more hardware security keys;
   • generate backup codes;
   • store backup codes offline.

3. Configure recovery info:

   • recovery email that is different from the sign-in email;
   • ideally on a different provider/domain path;
   • recovery phone that belongs only to the user and is protected at the carrier level.

4. If Google Workspace is involved:

   • ensure more than one super admin exists if organizationally feasible;
   • stop using super admin for daily work;
   • maintain a secondary/recovery email outside the Workspace domain path.

5. Consider Advanced Protection for the most sensitive Google identity.

6. Avoid making major auth/recovery changes right before travel or other high-risk periods.

   • Google may delay some recovery/auth effects by several days.

Google-specific caveats

• Do not use Google Voice as the dependency that must deliver Google verification codes.
• If Google disables the account, appeal/recovery processes may be required and outcomes are not guaranteed.
• Recovery path changes may not take effect immediately.

---

4) Zoho / custom-domain email standard

What Zoho can be used for

• an independent recovery mailbox/provider;
• a business identity not fully coupled to Google;
• a secondary control plane for alerts, recovery messages, and admin notifications.

What Zoho should not be assumed to solve automatically

• registrar lockout;
• DNS compromise;
• billing lapse on the domain or Zoho tenant;
• circular recovery if Zoho itself points back to Gmail or the same phone dependency.

Step-by-step

1. Enable MFA on Zoho.
2. Generate and securely store Zoho backup verification codes.
3. Confirm recovery methods and support/admin recovery options.
4. Protect the Zoho admin/super-admin identity separately from daily-use mail.
5. Confirm the domain registrar and DNS provider are also protected with strong MFA and separate recovery.

Decision rule

Use Zoho as part of the recovery design only if:

• it is not dependent on the same fragile recovery chain;
• its admin account is separately protected;
• its domain control path is separately protected.

Assessment: Using Zoho as an independent recovery plane is reasonable, but not automatically sufficient.

• Status: Assistant conclusion derived from verified facts

---

5) Hardware security key standard

Minimum

• 2 FIDO2-compatible security keys
  • one primary, kept with you;
  • one backup, kept offline in a secure location.

Better

• 3 keys
  • primary on person;
  • backup in safe/offsite;
  • admin-only key for crown-jewel admin accounts.

Operational notes

• label them clearly but discreetly;
• enroll all keys at the same time where possible;
• document which accounts each key is enrolled in;
• test them after enrollment.

Status: Assistant-stated but unverified as a specific number standard, though supported by vendor ecosystems generally.

---

6) Carrier-account standard

Required actions

• set a carrier account PIN/passcode;
• ask whether the carrier supports port-out lock / number lock;
• verify account contact channels;
• reduce use of SMS as a root recovery method where stronger methods exist.

Why

Phone-number compromise can undermine account recovery and SMS-based second factors.

Status: Verified + assistant interpretation

---

7) Offline break-glass kit

Suggested contents

• Bitwarden recovery code
• Google backup codes
• Zoho backup codes / recovery instructions
• list of crown-jewel accounts and what they depend on
• spare hardware key location
• registrar and DNS provider names
• carrier account PIN existence note
• support/recovery URLs for key providers
• optional sealed instructions for trusted spouse/partner/executor/emergency contact

Storage

• physical secure location;
• ideally duplicated in two secure places if the threat model justifies it.

Important caveat

Any physical recovery kit becomes a high-value target and must be physically secured.

Status: Assistant-stated but unverified as a bundled playbook item, though based on verified provider requirements for backup/recovery material.

---

8) Recovery drill standard

Suggested quarterly drill

1. Confirm hardware keys still work.
2. Confirm recovery codes are still present and readable.
3. Confirm backup export is present and the procedure to use it is documented.
4. Confirm recovery mailbox is accessible.
5. Confirm carrier PIN/lock is still active.
6. Confirm admin-only account credentials / methods are intact.
7. Confirm no provider/billing/domain expiry problems exist.

Status: Assistant-stated but unverified, but strongly recommended operationally.

---

9) What to advise clients / other professionals

Minimum acceptable standard

• password manager;
• unique passwords;
• MFA on important accounts;
• recovery email and phone updated;
• backup codes stored outside the primary account.

Better standard

• phishing-resistant MFA for crown jewels;
• separate admin-only identity;
• separate recovery mailbox/provider;
• carrier account PIN and port-out controls;
• offline recovery kit.

Best standard for founders / executives / public figures / security professionals

• password manager with non-email second factor;
• multiple hardware keys;
• independent recovery plane;
• admin vs daily-use separation;
• documented break-glass SOP;
• periodic recovery drills;
• tested provider-specific recovery paths.

---

Tools, Resources, Links, and References

Bitwarden

1. Bitwarden Help — Passkey Two-Step Login
   https://bitwarden.com/help/setup-two-step-login-fido/

2. Bitwarden Help — Email Two-Step Login
   https://bitwarden.com/help/setup-two-step-login-email/

3. Bitwarden Help — Recovery Code for Two-Step Login
   https://bitwarden.com/help/two-step-recovery-code/

4. Bitwarden Help — Can’t Access Two-Step Login
   https://bitwarden.com/help/lost-two-step-device/

5. Bitwarden Help — Encrypted Exports
   https://bitwarden.com/help/encrypted-export/

6. Bitwarden Help — Export Vault Data
   https://bitwarden.com/help/export-your-data/

7. Bitwarden Help — Emergency Access
   https://bitwarden.com/help/emergency-access/

8. Bitwarden Pricing
   https://bitwarden.com/pricing/

9. Bitwarden Help — Product FAQs
   https://bitwarden.com/help/product-faqs/

Google / Google Workspace

10. Google Account Help — Sign in with a passkey instead of a password
    https://support.google.com/accounts/answer/13548313?hl=en

11. Google Account Help — Common questions with Advanced Protection Program
    https://support.google.com/accounts/answer/7539956?hl=en

12. Google Account Help — Get Google’s strongest account security with Advanced Protection
    https://support.google.com/accounts/answer/7519408?co=GENIE.Platform%3DAndroid&hl=en

13. Google Account Help — Sign in with backup codes
    https://support.google.com/accounts/answer/1187538?co=GENIE.Platform%3DDesktop&hl=en

14. Google Account Help — Set up recovery options
    https://support.google.com/accounts/answer/183723?co=GENIE.Platform%3DDesktop&hl=en

15. Google Account Help — Avoid getting locked out of your Google Account
    https://support.google.com/accounts/answer/7684753?co=GENIE.Platform%3DAndroid&hl=en

16. Google Account Help — Fix common issues with 2-Step Verification
    https://support.google.com/accounts/answer/185834?hl=en

17. Google Account Help — How to recover your Google Account or Gmail
    https://support.google.com/accounts/answer/7682439?hl=en

18. Google Account Help — Why your account recovery request is delayed
    https://support.google.com/accounts/answer/9412469?hl=en

19. Google Account Help — Verify it’s you when you complete a sensitive action
    https://support.google.com/accounts/answer/7162782?co=GENIE.Platform%3DAndroid&hl=en

20. Google Workspace Admin Help — Security best practices for administrator accounts
    https://support.google.com/a/answer/9011373?hl=en-JO&ref_topic=2785005

21. Google Workspace Knowledge Base — Account recovery information for Support
    https://knowledge.workspace.google.com/admin/users/account-recovery-information-for-support

22. Google Workspace Knowledge Base — Add recovery information for admins & users
    https://knowledge.workspace.google.com/admin/users/add-recovery-information-for-admins-and-users

Standards / security bodies

23. NIST SP 800-63B
    https://pages.nist.gov/800-63-4/sp800-63b.html

24. NIST SP 800-63B Supplement 1 — Incorporating Syncable Authenticators Into NIST SP 800-63B
    https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63Bsup1.pdf

25. NIST — Syncable Authenticators
    https://pages.nist.gov/800-63-4/sp800-63b/syncable/

26. CISA — Require Multifactor Authentication
    https://www.cisa.gov/audiences/small-and-medium-businesses/secure-your-business/require-multifactor-authentication

27. CISA — Implementing Phishing-Resistant MFA (fact sheet)
    https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf

28. FIDO Alliance — Passkeys
    https://fidoalliance.org/passkeys/

29. FIDO Alliance — How Passkeys Work
    https://fidoalliance.org/how-fido-works/

Zoho

30. Zoho Accounts — Backup Verification Codes
    https://help.zoho.com/portal/en/kb/accounts/multi-factor-authentication/articles/mfa-backup-verification-codes

31. Zoho Accounts — Recover your Zoho account
    https://help.zoho.com/portal/en/kb/accounts/faqs-troubleshooting/troubleshooting/account-recovery/articles/recover-your-zoho-account

32. Zoho OneAuth — Recover OneAuth account
    https://help.zoho.com/portal/en/kb/accounts/oneauth/secure-zoho-account-with-mfa/articles/recover

33. Zoho Mail Admin — Two-factor Authentication
    https://www.zoho.com/mail/help/adminconsole/two-factor-authentication.html

34. Zoho Mail Admin — Password Reset
    https://www.zoho.com/mail/help/adminconsole/password-reset.html

Carrier / phone-security

35. FCC — Port-Out Fraud Targets Your Private Accounts
    https://www.fcc.gov/consumers/scam-alert/port-out-fraud-targets-your-private-accounts

36. FCC — Protecting Consumers from SIM Swapping and Port-Out Fraud (rule text / related material)
    https://docs.fcc.gov/public/attachments/DOC-397990A1.txt

---

Risks, Caveats, and Red Flags

1) Circular dependency risk

• Status: Verified in substance + assistant interpretation
• Example pattern:
  • Bitwarden depends on Gmail email codes;
  • Gmail depends on Bitwarden-stored credentials or recovery;
  • recovery phone depends on the same compromised phone number;
  • custom-domain mail depends on registrar/DNS locked behind the same identity stack.

2) Custom-domain mailbox is not truly independent if the domain stack is fragile

• Status: Assistant conclusion derived from verified facts
• If the registrar, DNS, billing, or mail-admin account fail, the mailbox may not be a reliable recovery plane.

3) Hardware-key loss without redundancy

• Status: Assistant-stated but unverified
• One key is not enough if the goal is anti-lockout.

4) Emergency Access has governance risk

• Status: Verified
• “Takeover” is powerful and may be inappropriate for some threat models or relationship structures.

5) Passkey sync-provider dependence

• Status: Verified
• Syncable passkeys are convenient, but NIST notes cloud recovery/sync layers become part of the security model and can be a weak point.

6) Recovery changes may not help immediately

• Status: Verified
• Google may delay the effectiveness of some recovery/auth changes.

7) SMS / phone number as root fallback has fraud risk

• Status: Verified
• Carrier-level attacks can defeat otherwise reasonable recovery setups.

8) Backup material can itself become a liability

• Status: Assistant-stated but unverified
• Printed codes, exported vault backups, and physical keys must be secured from theft, not just loss.

9) Support-driven recovery is often messy and not guaranteed

• Status: Verified in part / assistant interpretation
• Official docs describe support and recovery paths, but real-world success may vary. Do not design a system that assumes support will quickly restore access.

---

Open Questions / What Still Needs Verification

1. Is Bitwarden currently using email-based two-step login, email verification on unrecognized devices, or both?

   • This materially affects the exact remediation steps.

2. Is the Google account in question a consumer Gmail account, a Google Workspace user, or a Workspace super admin?

   • Admin guidance differs meaningfully from standard-user guidance.

3. What is the current domain registrar and DNS provider for the user’s relevant domains?

   • A custom-domain mailbox is only as independent as those control planes.

4. Is sage.me registered and managed under a completely separate root identity from the Google account the user is worried about?

   • If not, the independence benefit may be overstated.

5. Does the user already own FIDO2 hardware security keys? If so, how many and which models?

6. What is the current phone carrier, and does it support a robust account PIN / number lock / port-out lock?

7. Would the user actually want a trusted-human recovery path (for example spouse, partner, executor, close business partner), or is that outside the acceptable trust model?

8. Does the user want a single “forever” personal identity anchor separate from rebrandable business identities?

   • This is strategically important for founders with evolving brands/domains.

9. Has the user already stored recovery codes and backup exports anywhere? If yes, are they tested and accessible?

10. Are there other crown-jewel accounts not discussed yet?

    • Apple ID / Microsoft account / banking / registrar / Cloudflare / GitHub / mobile carrier / Stripe / Mercury / etc.

---

Suggested Next Steps

Immediate (next 24 hours)

1. Audit Bitwarden second-factor settings.
2. Confirm whether email-based 2FA is active.
3. Buy or identify at least two FIDO2 security keys if not already owned.
4. Generate / locate Bitwarden recovery code and store it offline.
5. Generate / locate Google backup codes and store them offline.
6. Add or validate recovery email that is different from the sign-in account.
7. Add or validate carrier account PIN / port-out protection.

Short term (next 7 days)

1. Migrate Bitwarden to FIDO2/WebAuthn-based second factor.
2. Enroll both hardware keys on Bitwarden and crown-jewel Google accounts.
3. Create a password-protected encrypted Bitwarden export and store it securely offline.
4. Decide whether Zoho will serve as the recovery plane, daily identity, or both.
5. Harden Zoho admin/recovery settings and confirm backup codes.
6. Separate admin-only and daily-use accounts where applicable.
7. Document a one-page break-glass SOP.

Medium term (next 30 days)

1. Run a clean-browser recovery/access drill.
2. Inventory crown-jewel accounts and dependencies.
3. Consider Google Advanced Protection for the highest-risk account.
4. Decide on Bitwarden Emergency Access if a trusted human recovery path is desired.
5. Create a reusable client advisory or SOP based on the same architecture.

---

Handoff Notes for Another AI

User goal

The user wants a complete, practical anti-lockout and identity-resilience strategy for themselves and for advising clients. The user is especially concerned about circular dependencies between password manager, email, recovery paths, and provider lockouts.

Important user context

• Security-aware professional with a public-facing / professional personal brand.
• Already uses Bitwarden.
• Concerned about Gmail/Google as a brittle dependency.
• Has a separate Zoho-hosted mailbox/domain (sage.me) and is considering how to position it.
• Wants not just security theory, but a durable operational design.

What another AI should not assume

• Do not assume Gmail should remain the root identity.
• Do not assume Zoho is automatically safer or more resilient.
• Do not assume the user has hardware keys already.
• Do not assume Google Workspace vs consumer Gmail without asking or inferring from context.
• Do not assume the user wants a spouse/partner emergency-access design.

Likely next deliverables another AI could help produce

1. A personalized dependency map of the user’s crown-jewel accounts.
2. A one-page SOP for Bitwarden + Google + Zoho + registrar + carrier.
3. A client-facing anti-lockout checklist for executives/founders.
4. A break-glass binder template.
5. A decision matrix for Gmail vs Zoho vs custom-domain identity roles.
6. A hardware-key enrollment plan.
7. A recovery drill runbook.

Best next question for another AI to ask

“List your actual crown-jewel accounts and their current login / MFA / recovery dependencies so I can map the loops and propose the exact final architecture.”

---

Reviewer Notes and Improvements Made

Reviewer mode used: Serious self-review pass (no separate reviewer-agent capability was available during this run).

Improvements made beyond the original discussion

1. Verified the core Bitwarden claims rather than relying on memory:

   • FIDO2/WebAuthn availability;
   • email-based 2FA existence;
   • recovery-code handling;
   • encrypted exports;
   • Emergency Access and its premium status.

2. Verified Google’s current passkey / Advanced Protection / backup-code / recovery guidance and added important caveats about:

   • Google Voice causing lockout loops;
   • recovery-delay windows;
   • super-admin account separation.

3. Added Google Workspace-specific recovery design evidence showing that a secondary/recovery email is expected to be outside the account’s domain.

4. Added NIST/CISA/FIDO context to strengthen the reasoning around phishing-resistant authentication and the tradeoffs of syncable passkeys.

5. Added Zoho-specific evidence so the recommendation about Zoho is grounded, not hand-wavy.

6. Added carrier / SIM-swap / port-out considerations, which were not explicitly discussed but are logically essential to a complete anti-lockout strategy.

7. Separated verified facts from derived design conclusions, rather than overstating recommendations as if vendors themselves mandated them.

8. Flagged unresolved questions that materially affect the final architecture and should be answered before implementation.

Known limitations of this artifact

• It does not inspect the user’s actual current account settings.
• It does not verify the user’s registrar, DNS provider, or carrier-specific controls.
• It does not test Bitwarden or Google flows directly in the user’s environment.
• It does not replace legal/compliance advice for regulated environments.

---

Optional Appendix — Structured YAML Summary

title: "Account Lockout Resilience, Password Manager, Email, and Passkeys Playbook + AI Handoff"
date: "2026-03-18"
user_goal:
  - "Avoid circular lockout dependencies across password manager, email, phone, and domain stack"
  - "Create a personally usable and client-advisable best-practice framework"
discussion_core:
  - point: "Bitwarden email-linked second factor / recovery can create a chicken-and-egg problem"
    status: "user-stated + verified in capability"
  - point: "Zoho-hosted custom-domain email may serve as an independent recovery plane"
    status: "tentative design option"
  - point: "Passkeys/security keys should play a major role for crown-jewel accounts"
    status: "verified"
top_conclusions:
  - "Move Bitwarden away from email-based second factor toward FIDO2/WebAuthn"
  - "Use at least two hardware security keys for crown-jewel accounts"
  - "Keep recovery email/provider separate from the sign-in identity/domain"
  - "Separate admin-only accounts from daily-use accounts"
  - "Store recovery codes and backup materials offline"
  - "Protect the mobile carrier account because phone-based recovery is part of the attack surface"
important_verified_sources:
  bitwarden:
    - "https://bitwarden.com/help/setup-two-step-login-fido/"
    - "https://bitwarden.com/help/setup-two-step-login-email/"
    - "https://bitwarden.com/help/two-step-recovery-code/"
    - "https://bitwarden.com/help/encrypted-export/"
    - "https://bitwarden.com/help/emergency-access/"
  google:
    - "https://support.google.com/accounts/answer/13548313?hl=en"
    - "https://support.google.com/accounts/answer/7519408?co=GENIE.Platform%3DAndroid&hl=en"
    - "https://support.google.com/accounts/answer/1187538?co=GENIE.Platform%3DDesktop&hl=en"
    - "https://support.google.com/accounts/answer/185834?hl=en"
    - "https://support.google.com/a/answer/9011373?hl=en-JO&ref_topic=2785005"
    - "https://knowledge.workspace.google.com/admin/users/account-recovery-information-for-support"
  standards:
    - "https://pages.nist.gov/800-63-4/sp800-63b.html"
    - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63Bsup1.pdf"
    - "https://www.cisa.gov/audiences/small-and-medium-businesses/secure-your-business/require-multifactor-authentication"
    - "https://fidoalliance.org/passkeys/"
  zoho:
    - "https://help.zoho.com/portal/en/kb/accounts/multi-factor-authentication/articles/mfa-backup-verification-codes"
    - "https://help.zoho.com/portal/en/kb/accounts/faqs-troubleshooting/troubleshooting/account-recovery/articles/recover-your-zoho-account"
open_questions:
  - "Exact current Bitwarden 2FA/recovery configuration"
  - "Consumer Gmail vs Google Workspace vs super admin"
  - "Registrar and DNS provider identities"
  - "Whether sage.me is truly independent in admin and recovery terms"
  - "Availability of hardware keys"
  - "Carrier protections in place"
next_best_artifact:
  - "Personalized dependency map and break-glass SOP for Bitwarden + Google + Zoho + registrar + DNS + carrier"