Subscribe to the Non-Human & AI Identity Journal

Why do passkeys not eliminate the need for recovery controls?

Passkeys reduce phishing and password reuse, but they do not remove account recovery. If password resets, SMS OTP, or support overrides remain weak, attackers will target those paths instead. Mature IAM programmes treat recovery as part of the authentication system and apply the same assurance discipline to fallback routes as to sign-in itself.

Why This Matters for Security Teams

Passkeys shift user authentication toward phishing-resistant cryptography, but they do not end the authentication problem. Recovery paths still exist for lost devices, locked accounts, delegated support, and regulated step-up events. If those paths rely on weaker proof, the attacker simply bypasses the stronger primary factor. NHI Management Group’s Ultimate Guide to NHIs shows how often weak lifecycle controls create exposure, and the same pattern applies to recovery.

Security teams often focus on the new sign-in flow while leaving account reset and help desk workflows undergoverned. That creates a false sense of assurance because the user experience looks modern even when fallback logic is brittle. Mature identity programmes align recovery assurance with the same risk model used for primary authentication, as reflected in the NIST Cybersecurity Framework 2.0. In practice, many security teams discover recovery weakness only after an attacker uses the exception path to regain access, rather than through intentional testing.

How It Works in Practice

Passkeys usually reduce the need to remember passwords, but they do not eliminate the need to prove continuity of control when a device is lost, replaced, or compromised. Recovery is part of the authentication system, not a separate admin process. Good design treats recovery as a high-assurance workflow with explicit policy, logging, and review. That means deciding in advance what counts as sufficient proof, who can approve it, and what evidence is required before a new credential is issued.

Common recovery controls include:

  • Backup passkeys stored on separate trusted devices.
  • Step-up verification through a second strong factor or verified device binding.
  • Time-bound recovery codes with strict issuance and revocation rules.
  • Human support escalation that requires identity proofing and recorded approval.
  • Delayed recovery windows for high-risk accounts so anomalies can be detected.

The important question is not whether a recovery option exists, but whether it is stronger than the attack paths it replaces. Guidance from the NIST Cybersecurity Framework 2.0 and the NHIMG research on Schneider Electric credentials breach both point to the same operational lesson: authentication failures often emerge at the boundaries, where process exceptions outlive technical controls. Strong recovery also depends on monitoring, because account restoration events are high-signal opportunities for abuse, especially when attackers compromise email, mobile numbers, or help desk trust relationships. These controls tend to break down in large enterprises with outsourced support desks and inconsistent identity proofing because exception handling becomes more trusted than the passkey itself.

Common Variations and Edge Cases

Tighter recovery controls often increase user friction and support cost, requiring organisations to balance resilience against usability and help desk load. That tradeoff is real, especially for consumer accounts, shared devices, and regulated environments where account lockout has business impact. There is no universal standard for recovery assurance yet, so current guidance suggests matching recovery strength to account sensitivity rather than applying one uniform rule.

Edge cases matter. If a user loses all registered devices, backup methods become the only path back in, so those methods should not be weak by default. For high-value administrators, recovery should be slower, more observable, and more tightly approved than ordinary self-service reset. For lower-risk consumer accounts, a streamlined flow may be acceptable if it is paired with anomaly detection and forced re-verification after recovery. The key is to design recovery as a controlled re-issuance event, not as a convenience feature. NHI Management Group’s broader guidance in the Ultimate Guide to NHIs — Standards reinforces that lifecycle governance matters as much as initial authentication, because unattended exceptions are where identity systems usually fail.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AA-01 Recovery is part of authentication assurance, not a separate workflow.
NIST SP 800-63 AAL2 Passkey recovery must preserve the assurance level of the original login.
OWASP Non-Human Identity Top 10 NHI-07 Fallback and recovery paths often become the weakest identity control.
NIST AI RMF GOVERN Recovery logic needs accountable policy, not ad hoc support decisions.
CSA MAESTRO GOV-03 Agentic and automated recovery workflows need explicit operational governance.

Classify recovery as an authentication control and apply the same assurance, logging, and review standards.