When Adding A Recovery Option Makes Things Worse

A couple of years ago, I added a recovery phone number to my gmail so that I could get into my account if I ever forgot my password. Fast forward to the present day, and I need to get back into the account. Even though I have my password after all these years, I couldn't get in without a verification code sent to my old phone number, which I no longer had. I was able to get my account back by contacting my old phone number, but that was pure luck. I don't know why somebody would come up with such a horrible anti-pattern, but don't do this if you're in charge of a website and you want to give your user an option to add a recovery phone number. Seriously, there's no reason to think that somebody coming back to an account after a few years is suspicious, unless you have a good reason to think that your company was hacked. Pro-tip, you can keep your users's passwords from getting cracked if you enforce a reasonable password policy. That way, you can keep your users safe without locking them out of their account. I'll never get how Google doesn't understand this.