The forgot-password flow is often the easiest way into an account. A password may be strong; the recovery route around it may not be. Anyone trying to get into your account today does not bother with the password. They go through recovery.
Recovery usually asks for an email or a phone number, and sometimes a security question. If they have any of these (because of a breach, a SIM swap, an old answer found on social media), they reset the password and walk in. The original password becomes irrelevant.
Each account has its own recovery setup. The setup is usually done once and left. The phone number on file may be your old one. The recovery email may be an address you no longer use. The security questions may have answers that are now public knowledge. The setup that was reasonable five years ago may be the weakest part of the account today.
A periodic review of recovery settings on every significant account. Replace SMS recovery with a hardware key where the service allows. Replace old recovery emails with a current address that has strong protection of its own. Remove security questions where the option exists, or use answers that are not your real answers.
·
The desk reviews these settings with the client and addresses the recovery routes that are currently open.
More from the desk
How the desk distinguishes signal from coincidence
The records that surround a major sale
Hospitality and leisure holdings and their visibility
When someone forwards your email without you knowing
How the desk reads a name against everything else
Hedge fund participation and the disclosure threshold