Account Recovery Abuse

June 16, 2025

Account Recovery Abuse: The 2025 Playbook

Attackers bypass strong login by exploiting weak recovery steps. Lock down backup codes, email resets, and helpdesk overrides.

Plain words: You secured sign-in with passkeys. Attackers now attack “Forgot password,” SMS fallbacks, and support desks. Fix recovery first or everything else fails.

Why this matters

  • Recovery paths often ignore device posture and risk checks.
  • SMS numbers get recycled and SIM-swapped.
  • Helpdesks can be social-engineered into temporary bypasses.
Common attack paths
  1. SMS reset: SIM swap or recycled number hijacks the reset code.
  2. Email fallback: Attacker controls personal email that receives the reset link.
  3. Backup codes: Stale codes leaked from old exports or screenshots.
  4. Support override: Fake urgency triggers a manual unlock without full checks.

Design the defenses

Prevent
  • No SMS-only recovery: Require passkey or hardware key for resets.
  • Verified recovery email: Corporate address only; re-verify every 90 days.
  • Rotate backup codes: One-time use, 8–10 codes, auto-rotate after any use.
  • Device posture: Recovery allowed only from compliant devices or via kiosk with staff present.
  • Geo/IP checks: Block resets from new countries and known proxies.
Detect & Respond
  • Anomaly bundling: Alert when reset + new device + new country align.
  • Replay traps: Honey backup codes to detect leaks.
  • Auto-contain: After risky reset, force step-up on all sensitive apps.
  • Immutable recovery log: Hash-chain each reset request and decision.

Helpdesk guardrails

ScenarioAllowedNot allowed
Locked-out traveler Video ID check + manager approval + single-use passkey-link valid 10 minutes SMS OTP or email link to personal account
Device replacement Issue recovery on managed kiosk; require second approver Permanent bypass or long-lived temp passwords
Vendor user Time-boxed account; recovery via vendor’s IdP federation only Shared mailbox resets or generic logins

Plain-language policy

ALLOW recovery if:
  identity.assurance ≥ 2
  AND recovery.email = corporate_verified
  AND device.posture = compliant
  AND method in {passkey, hardware_key, kiosk_recovery}

REQUIRE step-up if:
  geo.new_country = true OR device.new = true OR risk.score ≥ 60

DENY if:
  sms_only = true OR personal_email = true OR publisher.unverified = true

Rollout checklist

TaskOwnerTarget
Disable SMS and personal-email recoveryIdP AdminThis week
Issue two hardware keys to high-risk rolesIT / Sec2 weeks
Build kiosk recovery flow with dual controlPlatform3 weeks
Rotate and reissue backup codes organization-wideSec OpsThis month
Immutable logging for all recovery eventsSec Eng2 weeks

Forensics: minimal immutable entry

{
  "event": "account_recovery",
  "user": "sara",
  "method": "kiosk_recovery",
  "assurance": 2,
  "device": "kiosk-07",
  "geo": "CA-AB",
  "approved_by": ["mgr:finley", "helpdesk:rowan"],
  "result": "success",
  "timestamp": "2025-10-20T18:04:00Z",
  "prev_hash": "b81e...33",
  "sha3_256": "4af1...9c",
  "sig": "dilithium3:base64..."
}

Takeaway: harden recovery before login. Remove weak fallbacks, add dual control, and ledger every decision so attackers cannot talk their way around your controls.

Tags:
recovery_abuse passkeys hardware_keys backup_codes sim_swap zero_trust
← View All Articles