Account Recovery

All systems that require authentication of users share a common problem: users are human.  Users forget or lose their credentials, lose, reimage, break, or sell hardware with embedded credentials (e.g., a phone or laptop).  Account access is lost when users lose access to an email address their account is bound to.  In some systems, credentials expire and need to be reissued.  The common theme is that users need alternative mechanisms to restore access to the accounts whose credentials are unavailable.The following article establishes a framework for evaluating Account Recovery mechanisms and establishes recommendations for Account Recovery in consumer, education, enterprise, and government spaces by identifying the benefits and risks of common mechanisms.  Given the variety of concerns – privacy, security, and access continuity - in different domains, the reader of this document is expected to apply the guidance herein alongside their domain expertise and judgment to design, develop, and deploy Account Recovery mechanisms for their online systems.  Due to the intersection between Account Recovery actions and Customer Service teams, the author strongly recommends that the reader also consult the article “Managing Identity in Customer Service Operations” in the IDPro Body of Knowledge.