TL;DR: Account recovery remains a weak point because attackers target security questions, SMS recovery, and email-based reset flows that assume compromised accounts are not already in play, according to iProov’s Raiffeisen Bank case study. Person-centric biometric verification shifts recovery from device trust to presence and identity, making remote recovery harder to abuse.
At a glance
What this is: This is an account recovery analysis showing that legacy reset flows are easy to social-engineer and that person-centric biometric checks can restore secure self-service.
Why it matters: It matters because recovery is part of the identity control plane, and weak reset paths can undo strong primary authentication across human, NHI, and emerging agent workflows.
By the numbers:
- The biometric process delivers a 97-98% success rate for legitimate customers completing verification.
👉 Read iProov's analysis of secure account recovery and biometric verification
Context
Account recovery is an identity governance problem, not just a support workflow. When reset paths rely on knowledge factors, SMS, or email assumptions, the organisation is effectively trusting the weakest part of the identity lifecycle instead of verifying that the rightful person is present.
The article shows why that gap matters in banking, where a single recovery session can reopen an account to fraudsters even when primary login is strong. For IAM teams, the lesson extends beyond customer identity to any process where recovery, offboarding, or reactivation can be exploited as an alternate path to access.
Key questions
Q: How should security teams secure account recovery without forcing branch visits?
A: Use layered identity proofing that verifies the person, not just the device or channel. Combine document checks, liveness detection, and step-up verification for high-risk recovery events, then reserve manual review for edge cases. The goal is to preserve self-service while making remote abuse materially harder than a genuine recovery.
Q: Why do SMS-based recovery flows remain risky in modern IAM programmes?
A: SMS recovery assumes the phone number and message channel are trustworthy, but attackers can intercept or redirect those signals through SIM swapping and social engineering. That makes SMS a weak recovery factor for high-value accounts. Organisations should use it only as one signal in a broader assurance model, not as the deciding proof of identity.
Q: What do teams get wrong about biometric account recovery?
A: Teams often assume biometrics automatically prove the right person is present, but that is only true when liveness and anti-spoofing controls are built into the flow. A fingerprint or face scan by itself can still be tied to a compromised device or replayed presentation. Strong recovery requires both identity proofing and live presence confirmation.
Q: Who is accountable when a recovery process is abused for account takeover?
A: Accountability usually sits with the identity, fraud, and customer operations teams together, because recovery is a shared control boundary. Security owns assurance thresholds, fraud teams monitor abuse patterns, and operations must support a process that does not force unsafe shortcuts. Recovery governance should be documented as a control, not treated as a support exception.
Technical breakdown
Why recovery flows become the easiest identity bypass
Recovery journeys often sit outside the harder controls used at primary sign-in. Security questions can be researched, SMS can be intercepted through SIM swapping, and email recovery assumes the email account and device remain uncompromised. That makes recovery an alternate authentication plane with weaker assurance than the main flow. The real issue is not convenience alone. It is that the organisation is accepting lower proof of identity exactly when an attacker is most likely to be seeking account takeover.
Practical implication: treat recovery as a high-risk authentication path and apply stronger identity proofing than primary login, not weaker controls.
Why device trust is not the same as person trust
The case study highlights a common mistake in digital identity design. A phone, PIN, or biometrics stored on a device can prove access to the device, but not necessarily the genuine user at the moment of recovery. Science-based biometrics with liveness detection change the trust signal from possession to presence. That distinction matters because attackers can use social engineering or remote activation to hijack device-based recovery even when the customer thinks the process is safe.
Practical implication: use liveness and document checks when recovery must confirm the actual person, not just a trusted device.
How biometric recovery reduces support burden and fraud exposure
A stronger recovery flow can do two jobs at once. It can reduce branch visits and manual interventions while also making remote abuse harder. In the Raiffeisen example, the bank moved from fully disabling remote activation to a remote process that validates identity through multiple steps, including document verification, facial liveness, and verification tokens. The architectural point is that secure recovery does not have to be purely manual, but it does have to be assurance-led.
Practical implication: redesign recovery to preserve self-service where possible, but only after adding identity proofing steps that materially raise attacker cost.
Threat narrative
Attacker objective: The attacker wants to take over the victim’s mobile banking session through the recovery channel and convert that access into fraudulent transfers.
- Entry begins with social engineering, where fraudsters impersonate bank officials or police to convince customers to reveal internet banking access or follow recovery instructions.
- Credential access is achieved through recovery abuse, then the attacker remotely activates mobile banking on a device they control, bypassing the customer’s normal access path.
- Impact follows as the attacker gains direct account access and can steal funds, while the bank is forced to absorb support costs and operational disruption.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Account recovery is now part of the attack surface, not a back-office convenience. This case shows that criminals do not need to break the primary login if the reset path is easier to manipulate. Security questions, SMS OTP, and email-based recovery all assume that compromise has not already reached the user, device, or communications channel. Practitioners should treat recovery as a governed identity flow with its own assurance threshold, because the weakest recovery path defines the real account boundary.
Person-centric verification is a better trust model than device-centric recovery. The bank’s shift exposes a governance gap that many programmes still leave unaddressed: proving device possession is not the same as proving the rightful human is present. Science-based biometrics with liveness detection change the trust signal from something a fraudster can hijack remotely to something tied to live presence. The implication is that identity assurance must follow the person through the lifecycle, not stop at the device.
Identity recovery controls should be judged by attacker adaptation, not by user convenience alone. The article shows that warning screens bought only a month of relief before criminals adapted their scripts. That pattern is the real lesson for IAM and fraud teams: if an access path can be socially engineered once, attackers will keep iterating until it becomes operationally normal. Practitioners should view recovery as an adversarial workflow that must withstand repeated behavioural adaptation.
Device-to-device activation is a governance control only when the assurance model is explicit. The new process combines customer identification, document verification, liveness, and biometric tokens into one remote flow. That matters because distributed identity proofing can be secure if each step raises assurance rather than merely adding friction. For the field, this is a reminder that recovery design is a policy decision about acceptable identity evidence, not just a UX decision.
From our research:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months.
- For a broader identity baseline, read Ultimate Guide to NHIs , Why NHI Security Matters Now for how identity programmes are expanding across machine, service, and human access paths.
What this signals
Recovery governance is becoming a practical litmus test for identity maturity. When organisations allow reset paths to remain weaker than primary authentication, they leave an exploitable gap at the point where account takeover is easiest. Teams should expect fraudsters to keep targeting the least-governed identity workflow, which means recovery needs the same policy rigor as sign-in and privileged access.
Biometric recovery is not a universal answer, but it is a useful signal that identity proofing is moving away from static factors. For customer-facing programmes, the strategic question is whether the organisation can distinguish possession of a device from presence of a person. That distinction is increasingly relevant as deepfake-assisted fraud and remote social engineering continue to erode trust in traditional reset methods.
With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, per The State of Non-Human Identity Security, identity teams should assume recovery workflows, delegated access, and external integrations can all become hidden entry points if they are not governed as first-class controls.
For practitioners
- Review recovery as a privileged identity path Map every account reactivation, reset, and device-binding flow as a separate control surface with its own approval, logging, and fraud review steps.
- Replace knowledge-based recovery with stronger proofing Remove or de-emphasise security questions and SMS-only resets where the attacker can research answers or intercept the channel, and require stronger identity evidence instead.
- Add liveness to remote recovery journeys Use liveness detection and document checks when the process must confirm a real person is present, especially for remote device activation or account reactivation.
- Measure recovery by fraud resistance, not only completion rates Track how often recovery is attempted, abandoned, escalated, or manually reviewed, then compare those signals against fraud attempts and support burden.
Key takeaways
- Account recovery is often the softest part of an otherwise strong identity stack, and attackers actively target that weakness.
- The Raiffeisen case shows that branch-heavy fallback models are usually a symptom of weak assurance design, not a long-term control strategy.
- Stronger recovery depends on proving live personhood, not merely proving access to a device or recovery channel.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63, NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | Account recovery relies on assurance and identity proofing, which sit squarely in digital identity guidance. | |
| NIST Zero Trust (SP 800-207) | PR.AC-1 | Recovery flows should not trust the channel or device by default. |
| NIST CSF 2.0 | PR.AC-7 | Identity proofing and access conditions affect who can regain access after compromise. |
Apply stronger identity proofing and recovery assurance to high-value reactivation flows.
Key terms
- Account Recovery: The process used to restore access when a user cannot sign in or must rebind a device. In identity programmes, recovery is a separate assurance path that can become the easiest route for attackers if it relies on weak factors or trusted assumptions about email, phone, or device integrity.
- Liveness Detection: A set of checks that aims to confirm a real person is present during biometric verification. It matters because a face or fingerprint capture alone does not prove the subject is live, genuine, or acting in person at the time of the transaction.
- Identity Proofing: The process of establishing that a person is who they claim to be before granting or restoring access. Strong proofing combines multiple evidence signals, and for sensitive recovery flows it should raise assurance above the level used for routine sign-in.
- Recovery Flow: The controlled sequence of steps that a user completes to regain access or activate a new device. Recovery flows are often treated as support journeys, but they are actually security pathways that need explicit policy, logging, and fraud resistance.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by iProov: account recovery processes and the Raiffeisen Bank biometric recovery case study. Read the original.
Published by the NHIMG editorial team on 2025-10-01.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
