Hidden Risks in Passwordless Account Recovery
Summary
Hide β²
Show βΌ
Researchers at Black Hat USA 2025 highlighted significant risks associated with passwordless account recovery methods. Despite the adoption of passwordless authentication, account recovery processes often rely on insecure communication channels like email and SMS, making them vulnerable to account takeovers and permanent lockouts. The researchers tested 22 of the most visited websites and found widespread weaknesses in account recovery methods. They identified design flaws, security policy weaknesses, and missing best practices, including the lack of multifactor authentication during recovery. Users and service providers are advised to implement stronger recovery processes, including two-factor recovery options and stringent session policies.
Timeline
-
11.08.2025 20:53 π° 1 articles Β· β± 1mo ago
Researchers Identify Hidden Risks in Passwordless Account Recovery
At Black Hat USA 2025, researchers highlighted the vulnerabilities in passwordless account recovery methods. They found that these methods often rely on insecure communication channels and lack multifactor authentication, making them susceptible to account takeovers and permanent lockouts. Tests on 22 of the most visited websites revealed widespread weaknesses in account recovery processes.
Show sources
- Researchers Warn of 'Hidden Risks' in Passwordless Account Recovery β www.darkreading.com β 11.08.2025 20:53
Information Snippets
-
Passwordless authentication methods, including biometric authentication, passkeys, and tokens, are increasingly adopted.
First reported: 11.08.2025 20:53π° 1 source, 1 articleShow sources
- Researchers Warn of 'Hidden Risks' in Passwordless Account Recovery β www.darkreading.com β 11.08.2025 20:53
-
Account recovery methods often rely on insecure communication channels like email and SMS.
First reported: 11.08.2025 20:53π° 1 source, 1 articleShow sources
- Researchers Warn of 'Hidden Risks' in Passwordless Account Recovery β www.darkreading.com β 11.08.2025 20:53
-
Four out of five users have forgotten their passwords in the past 90 days, and 25% of users rely on recovery mechanisms daily.
First reported: 11.08.2025 20:53π° 1 source, 1 articleShow sources
- Researchers Warn of 'Hidden Risks' in Passwordless Account Recovery β www.darkreading.com β 11.08.2025 20:53
-
Weak account recovery methods can lead to account takeovers or permanent lockouts.
First reported: 11.08.2025 20:53π° 1 source, 1 articleShow sources
- Researchers Warn of 'Hidden Risks' in Passwordless Account Recovery β www.darkreading.com β 11.08.2025 20:53
-
Researchers tested 22 of the most visited websites and found widespread weaknesses in account recovery methods.
First reported: 11.08.2025 20:53π° 1 source, 1 articleShow sources
- Researchers Warn of 'Hidden Risks' in Passwordless Account Recovery β www.darkreading.com β 11.08.2025 20:53
-
The tests revealed design flaws, security policy weaknesses, and missing best practices in account recovery.
First reported: 11.08.2025 20:53π° 1 source, 1 articleShow sources
- Researchers Warn of 'Hidden Risks' in Passwordless Account Recovery β www.darkreading.com β 11.08.2025 20:53
-
Multifactor authentication is often not used during the account recovery process.
First reported: 11.08.2025 20:53π° 1 source, 1 articleShow sources
- Researchers Warn of 'Hidden Risks' in Passwordless Account Recovery β www.darkreading.com β 11.08.2025 20:53
-
Adversaries can change the recovery method to a token of their choosing, leading to permanent lockout attacks.
First reported: 11.08.2025 20:53π° 1 source, 1 articleShow sources
- Researchers Warn of 'Hidden Risks' in Passwordless Account Recovery β www.darkreading.com β 11.08.2025 20:53
-
Users and service providers are advised to implement stronger recovery processes, including two-factor recovery options and stringent session policies.
First reported: 11.08.2025 20:53π° 1 source, 1 articleShow sources
- Researchers Warn of 'Hidden Risks' in Passwordless Account Recovery β www.darkreading.com β 11.08.2025 20:53