TL;DR: Traditional self-service password reset and account recovery rely on security questions, SMS, and email OTPs that attackers can exploit through phishing, social engineering, and account takeover, according to HYPR. Multi-factor identity verification closes the recovery gap by proving a real, present user before access is restored.
NHIMG editorial — based on content published by HYPR: Making Self-Service Password Reset and Account Recovery Secure
By the numbers:
- Up to 50% of all IT help desk tickets are for password resets, costing approximately $70 each.
- By reducing help desk tickets for password resets and account recovery by up to 95%, HYPR Affirm can drastically cut operational costs for organizations.
Questions worth separating out
Q: How should security teams secure self-service password reset and account recovery?
A: Use identity proofing before access is restored, not after.
Q: Why do traditional recovery methods increase account takeover risk?
A: They rely on factors attackers can guess, intercept, or socially engineer.
Q: What breaks when password reset is treated as a help desk convenience?
A: The organisation loses control of a high-risk identity decision point.
Practitioner guidance
- Remove low-assurance recovery factors Retire security questions and SMS or email OTPs from any recovery workflow that can restore access to business-critical or privileged accounts.
- Require identity proofing before reset completion Use document verification plus liveness detection before password reset or account reactivation is approved, especially where account takeover would create broad downstream access.
- Add risk-based escalation for ambiguous cases Route uncertain recovery attempts to a secure human-assisted step such as manager review or live video verification before access is restored.
What's in the full article
HYPR's full post covers the operational detail this post intentionally leaves for the source:
- Step-by-step self-service recovery flow design from request initiation through verified reset
- Document and selfie liveness checks used to confirm a present user during recovery
- Risk-based escalation paths to human-assisted verification when confidence is low
- The cost and ticket-reduction claim behind HYPR's recovery approach
👉 Read HYPR's analysis of secure self-service password reset and account recovery →
Self-service account recovery: are your controls keeping up?
Explore further
Recovery is part of identity governance, not a convenience add-on. Organisations often design password reset around service efficiency and forget that recovery is an access-restoration control with direct security consequences. When that path is weak, the attacker does not need to defeat the primary login at all, because the identity programme has already opened a simpler route to account takeover. The implication is that recovery should be governed as part of the access lifecycle, not treated as an IT support feature.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- A separate finding shows that 45% of organisations cite lack of credential rotation as the top cause of NHI-related attacks, according to the same research.
A question worth separating out:
Q: Who should own recovery assurance in an identity programme?
A: IAM and identity governance teams should own it with support from the service desk, security operations, and risk owners. Recovery is an access-restoration control, so it needs defined policy, evidence requirements, exception handling, and periodic review like any other identity control.
👉 Read our full editorial: Password reset recovery remains a major account takeover gap