Black Hat USA 2025 | Lost & Found: The Hidden Risks of Account Recovery in a Passwordless Future

The Black Hat USA 2025 presentation warned that account‑recovery mechanisms—intended as a safety net for forgotten passwords—are rapidly becoming the most exploitable entry point in a passwordless ecosystem. Speakers Sidra, Gabby, and their research team outlined how recovery flows rely on out‑of‑band channels such as email and SMS, which are outside the direct control of service providers and vulnerable to SIM‑swap, SS7, and phishing attacks.

Their empirical study examined 22 of the most‑visited web services, mapping each site’s “account states” and testing nine recovery scenarios ranging from unverified methods to multi‑factor interactions. The data showed that four‑fifths of users forget a password within 90 days and a quarter need recovery daily, underscoring the massive scale of the problem. Design flaws surfaced, including acceptance of unverified recovery contacts, inconsistent verification steps, and the ability to hijack accounts by exploiting misspelled or compromised recovery addresses.

A striking example cited was a site that allowed password resets using an unverified email address, enabling an attacker who controlled a typo‑adjacent address to seize the victim’s account without any additional checks. The researchers also introduced an adversary model—Alice, Eve, Mallory, and Chad—to illustrate how attackers can remain stealthy, lock out users, or spam recovery requests.

The talk concluded that without a fundamental redesign of recovery flows, even the strongest passwordless authentication (biometrics, passkeys) will be undermined. Their open‑source Auditing Recovery Architecture (ARA) framework provides a systematic way to evaluate and harden recovery processes, and the authors issued best‑practice recommendations for the industry to adopt more robust, verified recovery channels.