Some of the most damaging identity breaches now occur after login — during password resets, MFA re-enrollment, or routine help-desk recovery requests. Many organizations have hardened login security with MFA and phishing-resistant controls.
These workflows are rarely treated as security-critical events. Attackers know that credentials can be reset, MFA can be disabled, and devices can be replaced. They don’t need to defeat cryptography if they can convince a system or a service desk to let them in.
That weakness has been exploited in the real world. In a series of incidents in 2025, major U.K. retailers such as Marks & Spencer, Harrods, and the Co-op Group were targeted by attackers who used social engineering to trick help-desk personnel into resetting credentials and bypassing MFA protections.
Recovery paths exist because things go wrong. That makes them the easiest place to exploit trust.
When breaches are analyzed after the fact, the initial compromise can often be traced to an account that was legitimately issued, protected by MFA, and compliant with policy. The failure wasn’t at login. It was in how identity was re-established afterward.
Why Recovery Workflows Are Structurally Weak
Account recovery is designed for speed and low friction, not threat resilience. As a result, recovery workflows are often built on assumptions that are no longer valid:
- The person requesting access is acting in good faith
- Voice, email, or chat are trustworthy channels
- Knowledge-based questions provide meaningful assurance
- Help desk staff can reliably detect deception
These were fragile even before attackers began using AI. Today, they are a breach waiting to happen.
Impersonation no longer requires guesswork. Public data, breached credentials, synthesized voices, and convincing pretexts can be assembled quickly and cheaply. Recovery paths that rely on human judgment or static information are now the path of least resistance.
The Help Desk as an Identity Authority
Whether they want the role or not, help desk teams function as de facto identity authorities. They decide who gets access restored, which authenticators are reset, and when exceptions are granted.
This puts frontline staff in a thankless position. They are asked to verify identity without reliable evidence, often under time pressure, using channels that attackers can easily manipulate.
Even well-trained teams struggle. Scripts and training help against unsophisticated attempts, but they do not scale against sophisticated impersonation. When an attacker knows internal terminology, organizational structure, and recent activity, the difference between a real employee and a fake one becomes nearly impossible to detect without stronger proof.
MFA Resets Expose Identity Security Gaps
While MFA is widely deployed in many organizations, it is far less rigorously governed during recovery. In many environments, resetting MFA requires little more than answering questions, clicking an email link, or persuading a support agent. Once it is reset, downstream controls inherit that compromised trust.
This is why organizations experience breaches where MFA was “enabled” but ineffective. The control existed, but the path around it was easier than the path through it. Strong authentication loses its value when recovery flows recreate trust from scratch instead of re-establishing it.
Why Training Falls Short
When recovery failures occur, the instinctive response is more training and tighter procedures. These measures help at the margins, but they don’t address the root problem: the absence of verifiable identity evidence during recovery.
Humans are not good at detecting deception at scale, especially when attackers are patient, prepared, and persistent. AI-assisted impersonation further tilts the balance, since voice alone is no longer proof of identity.
As long as recovery depends on judgment instead of evidence, it will remain exploitable.
A Verified Identity Must Be Reusable
The fundamental flaw in most recovery designs is that identity assurance is treated as disposable. Identity is verified during onboarding, then effectively discarded once credentials are issued.
When recovery is needed, organizations attempt to reconstruct trust using weaker signals than those used in the original proofing process. That inversion makes no sense. Recovery should not lower the bar; it should reference the strongest available evidence of identity.
Identity assurance must be something organizations can reliably return to. Not something that must be recreated on the fly under pressure.
This doesn’t mean forcing every recovery through manual review or adding friction indiscriminately. It simply requires designing systems in which verified identity can be reasserted without relying on memory, secrecy, or trust in the channel.
Designing Recovery for Adversarial Conditions
Recovery workflows should be built with the assumption that attackers will target them deliberately. That starts with treating resets and re-enrollment as high-risk events rather than routine ones. Sensitive actions should trigger step-up verification based on context and impact, not convenience.
Self-service recovery can still exist, but it must preserve identity assurance rather than weaken it. Otherwise, organizations simply trade help desk risk for automated risk. Just as important, recovery actions must be auditable. Organizations need to be able to demonstrate not just that access was restored, but why, and to whom.
As long as recovery remains the weakest link, attackers will continue to bypass strong authentication without ever needing to attack it directly.
Loading ...
