Solving account recovery challenges with Keyless
21 February 2023

Solving account recovery challenges with Keyless

21 February 2023

While it is often overlooked in light of other security concerns, account recovery is a considerable labour-intensive task for IT service desks. As the size of a business grows, so too do the challenges posed by account recovery.

In this article, we will discuss the key challenges of account recovery and reveal how companies can improve their account recovery procedures.

Poor User Experience in Account Recovery

As a business, your account recovery processes make a major difference to the user experience of your platforms and apps.

Data shows that the average person has around 100 active passwords to remember at one time.

However, forgetting login details are not the only reasons why a customer would need to recover their account. Account recovery may also be required when an account has been locked due to a previous breach. In some cases, accounts can also be locked if a customer changes the device that they log in from.

In all of the above scenarios, account recovery should be straightforward for a customer to register a new device or reset a compromised password.

At Keyless, we understand that poor authentication experiences negatively impact user experience. By using a passwordless multi-factor authentication solution like Keyless, customers can log in to accounts with a single look into the camera, which allows for a better and smoother user experience.

Account Recovery Methods & Challenges


Advice from the UK’s National Cyber Security Centre recommends a technique known as ‘throttling’ - whereby password systems are configured so that there is a progressively increasing time delay between successive login attempts. The idea behind throttling is that it restricts the number of times that an attacker can attempt to enter an account, while also providing multiple opportunities for a legitimate user to remember their password.

Throttling is generally preferred to a standard account lockout scheme that tends to give a limited number of login attempts before the account is frozen. Once a user's account has been frozen, they are effectively forced to contact the company’s helpdesk.


Additionally, as passwords continue to become more complex, companies are beginning to use additional account recovery methods to help customers access their accounts. For example, many organizations also ask users to set a secure PIN alongside their password. However, unless the PIN is a number or code that the customer uses elsewhere, they’re likely to forget these as (unlike a security question) there is often no context or hint provided.

Occasionally, companies might provide users with a set of single-use authorization codes that they can enter to recover their accounts. Authorization codes are generally seen as more secure than a PIN, but again, unless the user writes them down or takes a screenshot (which itself is a security risk), they’re unlikely to remember an arbitrary string of numbers and letters with no context.

Increasingly, companies are also implementing device-bound account recovery methods via one-time passwords (OTPs), or through device-bound biometrics. However, it’s important to note that if the customer has lost their device, they would also be unable to generate their OTP or supply their biometric data to access their account.

As a result, businesses using device-bound methods need to rely on fallback authentication methods to verify customers' identity - often a set of security questions or, at worst, contacting support.

Account Recovery is Expensive

Calling a helpdesk to carry out a password reset isn’t just frustrating for the customer, but also a costly and time-consuming endeavor for the business as well.

A study by the Gartner Group found that up to 50% of all help desk calls are related to password resets, with each reset typically taking between 2 - 30 minutes to fix. In monetary terms, meanwhile, Forrester Research found that the average cost of resetting a single password is as much as €66.

When you consider that massive global organizations such as Amazon, Apple, or Meta deal with millions of customers a day, it’s easy to see just how expensive a password reset can become if you don’t have a sufficient account recovery method in place.

Businesses that wish to protect their users from account takeovers, while also limiting their helpdesk expenditure, should consider using a hybrid account recovery approach that merges passwordless account recovery with a self-service solution.

Some account recovery methods are an invitation for fraud

Typical account recovery methods, such as sending OTPs via SMS or email, can pose security risks as these can readily be intercepted by malicious actors.

Research has shown that OTP security might fail 80% of the time and that accounts using OTPs are increasingly being targeted by hackers looking to carry out account takeovers via SIM swapping. Even OTPs sent via push notification or via an authenticator app can be intercepted using the latest phishing toolkits and keyloggers.

The impersonation problem

Scammers are increasingly aware of the pain points of account recovery and are actively targeting customers by offering fraudulent account recovery services.

In addition to offering personalized “support” to customers who have forgotten their passwords, fraudsters are increasingly exploiting outdated account recovery methods to impersonate users and access their accounts.

For example, scammers have used stolen personal information (often obtained through data breaches or password leaks) to impersonate genuine users while initiating account recovery processes.

The rate of data breaches is increasing globally, which has contributed to the rise in identity theft and impersonation. Since 2001, the victim count has increased from 6 victims per hour to 97 - making for a 1500% increase over 20 years.

Passwords, PINs, and OTPs are all “written” information which opens the door to a number of fraud and security concerns, as outlined previously.

Companies that use Keyless are resilient to credential-based authentication fraud, such as phishing and man-in-the-middle attacks, as there is no written password or code, that can be compromised. With Keyless, businesses and customers alike can benefit from a passwordless account recovery system that enhances security, eliminates overheads, and improves user experience.

Interested in learning more? Contact us today to discover how Keyless can help your business overcome the challenges of account recovery.

Request a demonstration

Get In Touch

Find out how our private-by-design MFA can help your organization prevent ATOs, improve UX, and protect your bottom line.