Insecure Recovery Methods in Passwordless Authentication
Summary
Hide â˛
Show âŧ
Adoption of passwordless authentication methods is increasing, but account recovery processes remain insecure. Researchers at Black Hat USA highlighted risks associated with using insecure communication channels like email and SMS for account recovery. These weaknesses can lead to account takeovers or permanent lockouts. Users and service providers must implement stronger recovery methods to mitigate these risks. Researchers tested 22 of the most visited websites and found design flaws, security policy weaknesses, and missing best practices in account recovery processes. They recommend using two-factor recovery options, strong session policies, and multifactor authentication to enhance security.
Timeline
-
11.08.2025 20:53 đ° 1 articles
Security flaws in account recovery processes identified at Black Hat USA
Researchers at Black Hat USA presented findings on the security flaws in account recovery processes for passwordless authentication. They tested 22 of the most visited websites and identified design flaws, security policy weaknesses, and missing best practices. The study emphasized the need for stronger recovery methods to mitigate risks associated with insecure communication channels.
Show sources
- Researchers Warn of 'Hidden Risks' in Passwordless Account Recovery â www.darkreading.com â 11.08.2025 20:53
Information Snippets
-
Passwordless authentication methods include biometric authentication, passkeys, and tokens.
First reported: 11.08.2025 20:53đ° 1 source, 1 articleShow sources
- Researchers Warn of 'Hidden Risks' in Passwordless Account Recovery â www.darkreading.com â 11.08.2025 20:53
-
Account recovery methods often rely on insecure communication channels such as email and SMS.
First reported: 11.08.2025 20:53đ° 1 source, 1 articleShow sources
- Researchers Warn of 'Hidden Risks' in Passwordless Account Recovery â www.darkreading.com â 11.08.2025 20:53
-
Four out of five users have forgotten their passwords in the past 90 days, and 25% of users rely on recovery mechanisms daily.
First reported: 11.08.2025 20:53đ° 1 source, 1 articleShow sources
- Researchers Warn of 'Hidden Risks' in Passwordless Account Recovery â www.darkreading.com â 11.08.2025 20:53
-
Weak account recovery processes can lead to account takeovers or permanent lockouts.
First reported: 11.08.2025 20:53đ° 1 source, 1 articleShow sources
- Researchers Warn of 'Hidden Risks' in Passwordless Account Recovery â www.darkreading.com â 11.08.2025 20:53
-
Researchers tested 22 of the most visited websites and found security flaws in account recovery methods.
First reported: 11.08.2025 20:53đ° 1 source, 1 articleShow sources
- Researchers Warn of 'Hidden Risks' in Passwordless Account Recovery â www.darkreading.com â 11.08.2025 20:53
-
Common security flaws include design flaws, security policy weaknesses, and missing best practices.
First reported: 11.08.2025 20:53đ° 1 source, 1 articleShow sources
- Researchers Warn of 'Hidden Risks' in Passwordless Account Recovery â www.darkreading.com â 11.08.2025 20:53
-
Multifactor authentication is often not used during the account recovery process.
First reported: 11.08.2025 20:53đ° 1 source, 1 articleShow sources
- Researchers Warn of 'Hidden Risks' in Passwordless Account Recovery â www.darkreading.com â 11.08.2025 20:53
-
Adversaries can change recovery methods to tokens of their choosing, leading to permanent lockouts.
First reported: 11.08.2025 20:53đ° 1 source, 1 articleShow sources
- Researchers Warn of 'Hidden Risks' in Passwordless Account Recovery â www.darkreading.com â 11.08.2025 20:53