Account Recovery

Account recovery is the mechanism a user follows when they can no longer sign in with their usual credentials. The most common trigger is a forgotten password, but it also applies when a second factor is lost, a device is replaced, or a passkey is no longer available.

Recovery flows must balance accessibility with security. Sending a reset link to a registered email address is widely used. Stronger approaches include verifying a backup code, confirming identity through a second registered factor, or requiring identity proofing. NIST SP 800-63B advises that the recovery process should be at least as strong as the authentication it replaces, to prevent it from becoming the weakest link.

Poorly designed recovery is a primary target for account takeover. Attackers exploit weak recovery by intercepting emails, social-engineering support agents, or answering guessable security questions.

For CIAM, account recovery directly affects both customer experience and security posture, making it one of the most consequential flows to get right.

Sources

• NIST SP 800-63B, Authentication and Lifecycle Management: https://pages.nist.gov/800-63-3/sp800-63b.html