In partnership with
π Welcome to Unlocked
Most organizations invest heavily in login security.
Stronger passwords.
Multi-factor authentication.
Device verification.
Risk-based access.
On paper, the front door is locked tighter than ever.
But attackers rarely use the front door anymore.
They walk straight to the side entrance labeled: βForgot password?β
Welcome to the recovery gap β one of the least discussed yet most consistently exploited weaknesses in modern security.
π§ The Security Paradox No One Talks About
Authentication has become more sophisticated over the past decade β guided in part by standards like the NIST Digital Identity Guidelines, which emphasize layered identity assurance and phishing-resistant authentication.
Yet despite stronger login controls, account takeovers continue to surge.
Why? Because recovery flows are designed with a very different priority:
speed over scrutiny.
After all, locked-out users are frustrated users.
Frustrated users open tickets.
Tickets create downtime.
Organizations optimize recovery for convenience. Attackers optimize for that convenience too.
πͺ Attackers Donβt Break Authentication β They Wait for You to Bypass It
Consider how many recovery paths exist inside a typical enterprise:
help desk resets
SMS verification
backup email links
knowledge-based questions
device re-enrollment
delegated admin resets
Each pathway exists for a legitimate reason.
But each is also a potential shortcut around your strongest controls.
CISA has repeatedly warned that identity processes β including password resets β are prime targets for social engineering attacks.
The logic is simple: Why defeat MFAβ¦when you can convince someone to reset it?
π The Human Override Problem
Most recovery isnβt technical.
Itβs conversational.
An attacker calls the help desk:
βIβm traveling.β
βMy phone was stolen.β
βI canβt access my authenticator.β
βThe board meeting starts in 10 minutes.β
Now the security decision shifts from systemsβ¦
to a person under pressure.
Microsoft has documented how social engineering campaigns increasingly target support workflows because they rely on human judgment rather than cryptographic proof.
Recovery becomes a moment where policy meets empathy β and empathy often wins.
β οΈ Recovery Is Expanding the Identity Attack Surface
Modern identity environments are no longer simple.
They include:
workforce identities
contractors
vendors
developers
machine identities
service accounts
Every identity eventually needs recovery.
Which means your recovery design is effectively part of your perimeter.
The Zero Trust Maturity Model from CISA reinforces this idea β trust must be continuously evaluated, not granted through one-time verification.
If recovery bypasses verification, Zero Trust quietly collapses.
π The Most Common Recovery Weak Points
Security teams often discover these only after an incident.
Support teams frequently have the power to reset the very controls security deploys.
Without strong verification standards, the help desk becomes a high-value target.
2. Fallback Factors
Backup methods tend to be weaker than primary ones.
Think:
SMS instead of phishing-resistant MFA
personal email instead of corporate identity
security questions with publicly discoverable answers
NIST has explicitly discouraged knowledge-based authentication because answers are often easily obtained.
3. Silent Enrollment
If an attacker can register a new device during recovery, they donβt just access the account β they persist inside it.
4. Over-Privileged Reset Paths
Some workflows allow password resets without evaluating the sensitivity of the account being recovered.
Resetting a marketing user is not the same as resetting a domain admin.
But many processes treat them equally.
Attackers notice that.
𧩠Why This Problem Is Getting Bigger β Not Smaller
Three macro trends are quietly widening the recovery gap:
1. Identity Sprawl
Organizations now manage thousands β sometimes millions β of identities.
More identities = more recovery events = more opportunities.
2. Always-On Business Expectations
Downtime is unacceptable.
Recovery is pressured to be immediate.
Security rarely thrives under urgency.
Attackers arrive prepared:
scraped employee data
org charts
vendor relationships
executive names
travel patterns
They donβt sound suspicious anymore.
They sound informed.
MITRE ATT&CK tracks social engineering under techniques designed specifically to manipulate trusted workflows β not bypass technology.
π‘οΈ How Security Leaders Should Respond
Closing the recovery gap doesnβt mean making recovery painful.
It means making it intentional.
β Treat Recovery Like Authentication
Apply the same rigor:
phishing-resistant verification where possible
step-up authentication
identity proofing
behavioral signals
Recovery should never be weaker than login.
β Tier Your Recovery Controls
Not every account carries equal risk.
Executives, finance, admins, and developers should require stronger recovery verification.
β Slow Down High-Risk Changes
Speed is the attackerβs ally.
Introduce friction when it matters:
delay MFA changes
alert users to recovery attempts
require secondary approval
A few extra minutes can stop a breach.
β Test Your Recovery Process
Many organizations test phishing resilienceβ¦
but never test the help desk.
Run a controlled recovery simulation.
See what actually happens.
You may learn more than any audit could reveal.
π‘ Unlocked Tip of the Week
Ask One Question at Your Next Security Meeting:
βIs it easier to reset an account than to break into one?β
If the answer is yes β even slightly β thatβs where your next investment belongs.
Because attackers donβt hunt for the hardest control.
They hunt for the easiest bypass.
π Poll of the Week
Which recovery pathway worries you most?
π₯ Final Takeaway
For years, cybersecurity focused on building stronger locks.
But the future of identity risk isnβt about the lock.
Itβs about who is allowed to issue a new key.
The organizations that rethink recovery now will quietly prevent the breaches everyone else is still trying to detect.
Because in modern securityβ¦
the fastest way in isnβt breaking authentication.
Itβs being invited around it.
Stay ready. Stay resilient.
Until next time,
Meet Ethan Cole - Senior Security Engineer
Ethan Cole is a Senior Security Engineer with more than a decade of experience building secure SaaS products and protecting cloud-native infrastructure. He specializes in identity and access management, anomaly detection, and secure deployment pipelines β helping product teams bake threat modeling and privacy-first design into everyday engineering work. When heβs not reviewing alert triage playbooks, heβs mentoring junior engineers, contributing to open-source tooling for secure CI/CD, and experimenting with home lab automation.
About Our Sponsors
NEO
Trust-First AI, Built Into Your Browser
Agentic workflows are everywhere. Real trust is still rare.
Norton Neo is the worldβs first AI-native browser designed from the ground up for safety, speed, and clarity. It brings AI directly into how you browse, search, and work without forcing you to prompt, manage, or babysit it.
Key Features:
Privacy and security are built into its DNA.
Tabs organize themselves intelligently.
A personal memory adapts to how you work over time.
This is zero-prompt productivity. AI that anticipates what you need next, so you can stay focused on doing real work instead of managing tools.
If agentic AI is the trend, Neo is the browser that makes it trustworthy.
Try Norton Neo and experience the future of browsing.
IT Brew
Become the βknow-IT-allβ
Modern IT doesnβt live in one lane.
IT Brew is a free, four-times-a-week newsletter covering the full range of stories shaping business techβfrom cybersecurity and cloud to enterprise software, infrastructure, and data privacy.
It delivers clear, reliable context in one email, so youβre not piecing together headlines from everywhere else.
Join 125K+ IT leaders who rely on IT Brew for comprehensive industry insight.