I've been wondering about best practices to secure gmail. A strong password and 2 factor authentication seem best, but I'm not sure what to do about password recovery.

1) Recovery options:

a) List a mobile phone. The problem is that phones can be lost or stolen. If it's a smartphone, the thief then has your email address and the means to take control.

If you use the mobile for 2 factor authentication, you'd seem to have the same problem if lost or stolen.

b) Recovery email address. That just seems to push the same problem to another level - how do you secure the recovery email address? Perhaps set up a gmail account purely for password recovery and protect it only with a secure password?

c) Security question. This does not seem to be offered for new accounts, but is available for older ones. The problem is if you use real info it's discoverable and if you make up info it's something else to remember. Perhaps put the security question into lastpass or the like.

2) If you have multiple accounts, should you use the same recovery info for all accounts? Single point of failure v. complexity.