Black Hat USA 2025 | Lost & Found: The Hidden Risks of Account Recovery in a Passwordless Future

We explored the Recover my account option of some of the 25 most visited websites. We considered permutations and combinations of scenarios where account recovery can be triggered by a user and how these websites allow the claiming entity (user or an adversary) to gain control over the account. We turned the authentication maze into an easy-to-follow test suite that allows security auditors and webmasters to evaluate the security of the account recovery mechanism of a given website. We learned several lessons on designing a secure and usable account recovery procedure by recovering our own user accounts thousands of times. The wisdom passed on by the security community is one of the reasons why users mislay their authentication credentials: Pick a strong password, change it as frequently as possible, and use a password manager. Despite being unable to keep track of the many passwords we all have, the user adoption of password managers is still low. In this talk, we will give insights on the security of account recovery procedures in the wild from the websites we tested, how to evaluate it yourself with the test suite (or auditing framework) we designed, and how to get it right with the best practice recommendations that we drafted. By: Sid Rao | Senior Security Research Scientist, Nokia Bell Labs Gabriela Sonkeri | Security Engineer, Wolt Amel Bourdoucen | User and Impact Researcher, Aalto University, F-Secure Janne Lindqvist | Associate Professor, Aalto University Presentation Materials Available at: https://ift.tt/4NXgskr

source https://www.youtube.com/watch?v=PtVGiROEBAM