Self-service account recovery: are your controls keeping up?

TL;DR: Traditional self-service password reset and account recovery rely on security questions, SMS, and email OTPs that attackers can exploit through phishing, social engineering, and account takeover, according to HYPR. Multi-factor identity verification closes the recovery gap by proving a real, present user before access is restored.

NHIMG editorial — based on content published by HYPR: Making Self-Service Password Reset and Account Recovery Secure

By the numbers:

• Up to 50% of all IT help desk tickets are for password resets, costing approximately $70 each.
• By reducing help desk tickets for password resets and account recovery by up to 95%, HYPR Affirm can drastically cut operational costs for organizations.

Questions worth separating out

Q: How should security teams secure self-service password reset and account recovery?

A: Use identity proofing before access is restored, not after.

Q: Why do traditional recovery methods increase account takeover risk?

A: They rely on factors attackers can guess, intercept, or socially engineer.

Q: What breaks when password reset is treated as a help desk convenience?

A: The organisation loses control of a high-risk identity decision point.

Practitioner guidance

• Remove low-assurance recovery factors Retire security questions and SMS or email OTPs from any recovery workflow that can restore access to business-critical or privileged accounts.
• Require identity proofing before reset completion Use document verification plus liveness detection before password reset or account reactivation is approved, especially where account takeover would create broad downstream access.
• Add risk-based escalation for ambiguous cases Route uncertain recovery attempts to a secure human-assisted step such as manager review or live video verification before access is restored.

What's in the full article

HYPR's full post covers the operational detail this post intentionally leaves for the source:

• Step-by-step self-service recovery flow design from request initiation through verified reset
• Document and selfie liveness checks used to confirm a present user during recovery
• Risk-based escalation paths to human-assisted verification when confidence is low
• The cost and ticket-reduction claim behind HYPR's recovery approach

👉 Read HYPR's analysis of secure self-service password reset and account recovery →

Self-service account recovery: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →