How to Improve Account Recovery UX

12 November 2025

Account recovery is a double-edged sword. It’s one of the main entry points for attackers, but that means organizations often secure the process very tightly - so security comes at the expense of UX.
So how can organizations make account recovery both secure and user-friendly?
Let’s use a mobile banking app as our primary example. Financial services is an industry with a lot to protect and regaining access to a banking app is one of the most common gateways fraudsters target.

Defining Account Recovery

What do we mean by account recovery in a banking context? There are usually two situations that trigger this process:
  1. A customer forgets their password, PIN, or any other credential they use for login.
  2. A customer buys a new device, downloads the banking app, and tries to log into their existing account for the first time on the new phone.
The core problem is: How does the bank know that the person requesting access is the actual account holder, especially when key login details are missing or the device is unknown?

Account Recovery: A Tradeoff Between UX and Security

The typical account recovery process for a mobile banking app relies on methods that offer either poor security or a poor user experience. The most common methods are:
  • SMS OTPs (One-Time Passwords) - poor security, average UX
  • Call centers - poor security, poor UX
  • Re-verification (re-IDV)* - good security, poor UX
*Where the user must go through the entire Know Your Customer (KYC) process again, often showing their ID card again via an IDV vendor process.

The Solution: Biometric Account Recovery with One Look

The key to solving this security vs. UX conflict is using third-party biometric authentication to compare the user’s face captured during account recovery to the one captured during the initial IDV.
Third-party biometric authentication providers, like Keyless, live as a software development kit (SDK) inside a bank app. Unlike local biometrics like FaceID, third-party biometrics are able to link a user’s face when authenticating to the one captured during the IDV process. FaceID only compares the face to the one on the FaceID account, which can be changed with knowledge of the device PIN. To read more about local vs third-party biometrics for banking apps, you can read our dedicated article here.
As the user goes through enrollment with an IDV provider, they are also enrolled into the third-party biometric solution as well. The face captured during this process is securely associated with the biometric taken during IDV/KYC.
Now, whenever the user needs to recover their account, all they need to do is show their face to the camera. The user's live face is compared to the enrolled image, which is associated with their established, verified identity.
The typical user flow looks like this:
  1. The user clicks Recover Account.
  2. They add their identifier (email, username, etc.) to tell the bank who they are.
  3. They add an (optional) PIN.
  4. They show their face to the camera.
  5. If the face matches the verified profile established during IDV, they regain access to their account.

Key Stipulations for Implementation

This approach dramatically improves account recovery UX, but still needs to stick to certain security principles:
First, the bank must include some form of written identifier (email, username) to determine who the user is before they attempt recovery. This identifier is what the bank uses to retrieve the enrolled face template from the biometric server for comparison.
Second, the biometric capture itself is essentially single-factor because the device is new (the device isn't known yet). While standard Keyless authentication flows are multi-factor by design, account recovery is the exception. Therefore, organizations should choose to harden this step with another factor, such as a knowledge factor like the PIN used in the video.
Either way, the verified face established during onboarding is the only one that can be used to recover accounts, but is done so without pushing the user through the re-IDV flow. This makes the process secure, fast, and user-friendly. This is the optimal way to improve Account Recovery UX.
Interested in learning more? Contact us today to discover how Keyless can help your business overcome the challenges of account recovery or request a demo
Read Next
Blog
Biometric Authentication Solutions for Mobile Banking
Discover how banks use biometric authentication to secure mobile banking beyond simple FaceID or PIN checks. Learn why decentralized, privacy-preserving biometrics deliver stronger security, compliance, and user trust, without storing sensitive data.
Read Now
Blog
How to Prevent SIM Swapping: Why Biometric Authentication is the Better Way
In this blog, we explore how to prevent SIM swapping by replacing outdated SMS OTPs with biometric authentication. Learn why Zero-Knowledge Biometrics™ offer stronger, cross-device protection against modern fraud.
Read Now
Blog
What is Biometric Data?
In this blog, we’ll break it down simply, explain where it’s used, and why it’s both powerful and sensitive. The initial answer to the question "what is biometric data?" is simple, but the nuances between different types of biometric data are much more intricate.
Read Now
Consumer SolutionsWorkforce SolutionsTechnologyIndustriesResourcesCompanySupport Center
PSD2/SCA CompliantPSD2/SCA Compliant
GDPR CompliantGDPR Compliant
CCPA CompliantCCPA Compliant
FIDO2 CertifiedFIDO2 Certified
FIDO Biometrics CertifiedFIDO Biometrics Certified
ISO 27001 CertifiedISO 27001 Certified
ISO 9001 CertifiedISO 9001 Certified
ISO/IEC 30107-3 CertifiedISO/IEC 30107-3 Certified
NIST AccreditedNIST Accredited
eIDAS Module CertifiedeIDAS Module Certified
© 2025 Keyless. All rights reserved.
Cookie Settings