Factory Reset Protection: What you need to know
Factory Reset Protection (FRP) is a security method that was designed to make sure someone can't just wipe and factory reset your phone (or tablet or wearable) if you've lost it or it was stolen.
Starting way back with Android 5, FRP is "standard" in vanilla Android, and the companies making our phones have implemented it in their own models. It's a good thing — it makes a stolen device almost impossible to use, which makes it less appealing to thieves, and anything that can protect our data on the devices we've lost is welcome.
It can become a problem if you sell, trade, or even give away a phone without factory resetting it, though. How it works explains why.
How it works
Simply put, FRP uses the credentials of the last account on the device to permit wiping or resetting the phone.
You have to be signed in with the "owner" account (the one you used to set it up) to factory reset it. That means if you give me your phone, I can't reset it without you being signed in. There are random workarounds on the Internet, but they tend to get patched almost as soon as they are discovered and you probably don't want to try random software you found on YouTube.
You'll pretty much need to know the login details for the last account to use the device before you can reset it and create a new owner account. Note that this means you may need to have the password or PIN, not just have access to a fingerprint.
We've been bitten by this ourselves. We ship phones all over North America and the U.K., and sometimes it's easy to forget you're still signed in when you stick a phone in a box. And yes, we have needed to share a password to get past the initial setup because of other policies Google has in place to protect your account.
This is a bit of an inconvenience, but it's understandable because FRP is in place to make sure your data is safe if you lose your device or it gets stolen.
You do have to remember the one critical rule: If you change or reset your Google account password, you shouldn't use it to wipe a phone that's using it for 72 hours. If you do this, Google can (and has) lock down your entire account. If this happens you'll need to try and contact Google support to get it fixed. Nobody wants that so change it and wait a few days.
Disable it the right way
Disabling FRP (Factory Reset Protection) is simple. On most phones, it will be automatically done whenever you choose to reset the data through the phone's settings. If your phone has an extra layer of reset protection from the company who built it or has a "find my phone" app from the company who built it, you'll want to disable that manually first.
There may be a few devices still in use that require a bit more hands-on work. If your phone is really old, you might need to remove the accounts that are signed in manually:
- Open your device settings and remove any security you have for the lock screen. This isn't a required step for all phones, but some want you to do this, so we're including it here.
- Once that's done, you need to remove any and all Google Accounts from the phone or tablet. That's also done in the settings — look for a section labeled Accounts. With an account selected, look for a delete or remove option, usually hidden behind the three little dots in the top corner of the screen.
- When you've made sure all of the Google accounts have been erased, you can then factory reset your phone or tablet through the device settings.
On modern Android phones, there shouldn't be any problems as long as you choose to factory reset your phone through its settings. This will automatically remove all the associated accounts in a way that "frees" the phone from FRP. If you try to reset a phone through the bootloader, FRP will kick in, and it can't be set back up without the previous account's password.
You can make sure any reset protection has been removed from a phone you want to find a new owner for. Just try to sign back into it after you've reset it.
If it asks for the previous username and password, FRP is still enabled. If it doesn't, you're good to go: power it off and box it up!
Oops! Too late, I already sent it.
If you've forgotten to turn off FRP and send a phone to someone else, you'll likely need to help them get it set up. This means giving them access to your Google account password. The only other reasonable option is to have it returned so you can do it yourself.
If you choose to let someone know your Google credentials, do it while you are on the phone with them. Give them the password to your account and have them verify that it worked, and they can continue the setup process. Then immediately change your Google account password, as well as any other accounts that might have been using the same password.
Remember to not erase or delete the Google account from another phone for 72 hours after you've done this! If you try, you may be locked out of your account and need to speak with someone at Google to resolve everything.
While we haven't seen headlines telling us mobile phone theft is down by any measurable percentage since FRP was enabled, it's still a good way to keep your data safe. And it's pretty easy to disable when you want someone else to be able to use your old phone.