Factory Reset Protection: What you need to know

Phone Security
Phone Security (Image credit: Jerry Hildenbrand / Android Central)

Factory Reset Protection (FRP) is a security method that was designed to make sure someone can't just wipe and factory reset your phone if you've lost it or it was stolen. Starting with Android Lollipop, FRP is "standard" in vanilla Android, and most of the companies making our phones have implemented it in their own models. It's a good thing — it makes a stolen phone harder to use, which makes it less appealing to thieves, and anything that can protect our data on a phone we've lost is welcome.

How it works

It can become a problem if you sell, trade, or even give away a phone without factory resetting it, though. How it works explains why.

You have to be signed in with the "owner" account of the phone (the one you used to set it up) in order to factory reset it. That means if you give me your phone, I can't reset it without you being signed in. There are random workarounds on the Internet, but they tend to get patched almost as soon as they are discovered. You'll pretty much need to know the login details for the last account to use the phone before you can reset it and create a new owner account.

Factory Reset Protection

Source: Android Central (Image credit: Source: Android Central)

We've been bitten by this ourselves. We ship phones all over North America and the U.K., and sometimes it's easy to forget you're still signed in when you stick a phone in a box. And yes, we end up having to share a password to get past the initial setup because of other policies Google has in place to protect your account.

This is a bit of an inconvenience, but usually, we remember the one critical rule: If you change or reset your Google account password, you can't use it to wipe a phone that's using it for 72 hours.

Disable it the right way

Disabling FRP (Factory Reset Protection) is simple. On most phones, it will be automatically done whenever you choose to reset the data through the phone's settings. If your phone has an extra layer of reset protection from the company who built it or has a "find my phone" app from the company who built it, you'll want to disable that manually first.

There may be a few devices still in use that require a bit more hands-on work. If your phone is really old, you might need to remove the accounts that are signed in manually:

  • Open your device settings and remove any security you have for the lock screen. This isn't a required step for all phones, but some want you to do this, so we're including it here.
  • Once that's done, you need to remove any and all Google Accounts from the phone or tablet. That's also done in the settings — look for a section labeled Accounts. With an account selected, look for a delete or remove option, usually hidden behind the three little dots in the top corner of the screen.
  • When you've made sure all of the Google accounts have been erased, you can then factory reset your phone or tablet through the device settings.

On modern Android phones, there shouldn't be any problems as long as you choose to factory reset your phone through its settings. This will automatically remove all the associated accounts in a way that "frees" the phone from FRP. If you try to reset a phone through the bootloader, FRP will kick in, and it can't be set back up without the previous account's password.

You can make sure any reset protection has been removed from a phone you want to find a new owner for. Just try to sign back into it after you've reset it. If it asks for the previous username and password, FRP is still enabled. If it doesn't, you're good to go: power it off and box it up!

Oops! Too late, I already sent it.

If you've forgotten to turn off FRP and send a phone to someone else, you'll likely need to help them get it set up. This means giving them access to your Google account password. The only other reasonable option is to have it returned so you can do it yourself.

If you choose to let someone know your Google credentials, do it while you are on the phone with them. Give them the password to your account and have them verify that it worked, and they can continue the setup process. Then immediately change your Google account password, as well as any other accounts that might have been using the same password.

Remember to not erase or delete the Google account from another phone for 72 hours after you've done this! If you try, you may be locked out of your account and need to speak with someone at Google to resolve everything.

While we haven't seen headlines telling us mobile phone theft is down by any measurable percentage since FRP was enabled, it's still a good way to keep your data safe. And it's pretty easy to disable when you want someone else to be able to use your old phone.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.