Lost & Found: The Hidden Risks of Account Recovery in a Passwordless Future
Black Hat USA 2025 · Day 1 · Briefings
Researchers from Aalto University audited account recovery flows across the most widely used websites using a structured framework called Artha, discovering that recovery mechanisms — intended as a security fallback — are systematically insecure by design. Three adversary models were demonstrated across eight distinct attack scenarios, including parallel session attacks, arms race attacks, and permanent lockout attacks, all exploitable without any code, exploits, or access to the victim's credentials. The findings expose a structural gap: authentication security has advanced rapidly (from passwords to passkeys), while account recovery still relies on legacy channels like email and SMS. ---
AI review
Rigorous academic work on a problem that's both obvious and completely unaddressed by the industry. Account recovery as an attack surface gets the systematic treatment it deserves, and the arms race attack and parallel session findings are genuinely underappreciated. Lacks the punch that comes from a specific vulnerability in a named system, but the Artha framework is deployable.