It’s notoriously difficult to implement an account recovery process that prevents fraud without creating more friction for customers who are already locked out and frustrated. In a US consumer poll, 63% said they get locked out of 10 online accounts per month. While account recovery is painful for customers, it’s easy for attackers. After all, recovery flows bypass the initial login, and bad actors exploit this weakness.
Banks, retailers and other service providers lose business if the process is too difficult, but if it’s too easy, they suffer the cost in terms of account takeover (ATO) fraud. It’s critical to verify that the person recovering an account is indeed the customer — without adding friction. It can be done, and in this article, we’ll tell you how. But first, let’s examine the clash of challenges businesses need to address.
Why account recovery is risky business
If a customer remembers their username, they can get a password reset link or code sent to their email address or phone as a form of authentication, a possession factor. It’s an easy, albeit tedious, process but does not prove the user’s identity with a high level of assurance (LOA). If the email account or phone has been compromised, a bad actor could be “recovering” the account.
Account recovery is even riskier when a customer forgets or no longer has access to the email address or phone number linked to their account. In this scenario, the customer (or imposter) may be asked to answer security questions or submit a photo ID. Guessable or compromised answers result in fraud, whereas identity verification, a more secure method, can result in higher attrition rates if the customer experience (CX) feels difficult.
Phishing-resistant authentication with face ID or fingerprint biometrics can solve many of these problems. But what if the customer loses or replaces their device, which stored their biometric and private key? Most ‘passwordless’ solutions require a password to recover an account, which means it’s vulnerable to phishing and other ATO tactics.
Even passwordless authentication that’s truly password-free cannot prevent ATO on its own given that attackers can hijack or compromise active sessions.
Account recovery vulnerabilities
To implement an account recovery process that prevents fraud without creating more friction for customers, it’s essential to examine and address all of the vulnerabilities:
Weak recovery methods: Most companies use security questions (KBAs), email reset links and/or SMS one-time passcodes (OTPs), but these methods are not foolproof for a variety of reasons:
- Exposed security questions: Answers can be phished or found online, like a mother’s maiden name or childhood pet.
- Reliance on email: There’s no guarantee the email reset link is going to your customer. If a fraudster takes over an email account, it’s a single point of failure that will allow the attacker to request reset links for all of the victim’s accounts.
- OTP capture: Attackers use banking trojans to intercept SMS OTPs or push notifications. Likewise, remote access trojans (RATs) steal OTPs, gaining access to a victim’s OS, screen and keystrokes. Codes can also be intercepted by OTP capture bots that exploit application vulnerabilities. SIM swaps and man-in-the-middle attacks can intercept security questions, email reset links and OTPs.
Phishing for credentials: Fraudsters often use password reset emails in phishing attacks, prompting victims to enter their credentials, OTP and/or security questions. All types of phishing attacks increased in 2023, rising 1,265% — largely attributed to generative AI (GenAI). With image generation and translation tools, fraudsters are creating flawless phishing campaigns that evade legacy detection and deceive more victims.
Voice deepfakes: The abuse of GenAI extends to call centers where voice cloning is able to dupe voice authentication systems, used as an account recovery method. With just 3 seconds of audio obtained from phishing calls or online voice recordings, novices can create deepfakes that pass voice authentication, even liveness checks.
Fake IDs: Some companies now require a photo ID for account recovery. But to pass identity verification, fraudsters use high-quality fake IDs, purchased or created online.
Account recovery: the wrong approach
Stitching together multi-vendor solutions: Adding disparate solutions for fraud detection, identity verification and authentication add complexity and overhead costs. It requires difficult integrations, decision-making structures, coding and tuning cycles.
Siloed detection engines: Disparate anti-fraud and identity solutions, each with a narrow set of visibility and detection methods, result in data silos and blind spots, unable to assess the full context of each account recovery request. Analyzing a limited set of signals leads to errors, which disrupt customers or allow fraud.
Poor CX: Cumbersome account recovery processes and detection errors create more friction. If you invoke unwarranted step-up challenges, customers grow frustrated.
Relying on customer support: Analysts estimate 20-50% of customer support requests are for account recovery, and each call costs $70 or more. For customers, having to call support is irksome and can negatively impact brand loyalty and retention.
Account recovery: the right way
AI-driven fraud detection and orchestration are essential to adapt user flows based on risk and trust, invoking identity verification or MFA step-ups in moments of risk or removing friction when there’s a high LOA. Its dynamic nature is similar to risk-based authentication, giving rise to the term: risk-based account recovery.
For instance, if a customer recovers their account with an email magic link or one-time passcode (OTP), our fraud detection engine passively verifies the user with behavioral biometrics and device fingerprinting. If there are signs of risk, orchestration can invoke another authentication method or ID proofing. Automated identity verification must offer a simple, guided process that analyzes photo IDs and live selfies with supreme accuracy.
Account Recovery with Transmit Security
Transmit Security is the only vendor that offers a fusion of fraud prevention, identity verification and customer identity management services in one, consolidated platform.
What does this mean for account recovery? Transmit Security offers the only risk-aware account recovery solution able to detect and mitigate risk or remove friction for trusted customers. A unified platform addresses the full use case out of the box — to secure account recovery, optimize UX, reduce costs and increase revenue.
The Transmit Security account recovery solution includes:
- A full set of authentication methods: One service makes it easy to offer passkeys, passwordless, email magic links, OTPs, KBAs, social logins or any combination.
- True passwordless MFA: Customers can easily and securely transfer trust to other devices, eliminating the need to use passwords to recover an account.
- Multi-method fraud detection: AI-driven behavioral biometrics, device fingerprinting, bot detection, and authentication analysis are among hundreds of detection mechanisms that run passively in the background without interfering with the customer experience.
- Robust malware detection: stops new and evolving threats, including trojans, password reset overlays, keyloggers, OTP harvesting and other malicious behaviors.
- AI-driven identity verification: Vision AI inspects ID templates, fonts, holograms and other features, using 150+ weighted analyses and ML to spot today’s deceptive fake IDs.
- Easy UX: A simple UI guides customers to take 3 photos, and results arrive in seconds. With Transmit Security, customers only need to submit an ID once. If they’ve already done identity verification for account opening, for instance, they can later recover their account with a selfie, which is compared to the ID previously provided.
- Identity management: A unified user store provides visibility of each users’ devices, authenticators, risk scores and applications via one console — for a single source of truth.
- Identity orchestration: Integrates all of these capabilities — no coding required. Consolidation minimizes complexity and seals the cracks to prevent fraud, even deceptive attacks and fake IDs. A drag-and-drop journey editor makes it easy to build account recovery flows, establishing if and when to invoke identity verification, MFA or advanced combinations.
With a layered, plug-and-play account recovery solution, cloud-native capabilities work in concert to deliver the agility, simplicity, speed and accuracy you need — along with the resiliency and scale to keep millions of customers happy and loyal.
Read our full account recovery use case. Or request a meeting so we can tailor a solution to solve your specific challenges.