A serious account is, in most cases, well-defended against the obvious approaches. The password is strong; the second factor is enabled; the device is recognised; the unusual login is challenged. A determined approach from outside, on the technical front, would take resources that are rarely available to the kind of party most principals are exposed to.

The administrative front is sometimes a different matter. The same provider that operates the well-designed login also operates a customer service function. The customer service function is staffed by people whose job is to help customers, particularly customers in difficulty. The procedures they follow are designed for the principal who has lost their phone, forgotten their password, or otherwise cannot get into their own account.

An administrative request that follows the procedure carefully can, in some cases, achieve what the technical attack could not. The account is opened, not by breaking the lock, but by walking through the customer service door with the right answers. The provider, on their side, has done nothing wrong; they have served what appeared to be the customer in need.

The pattern persists because both halves are necessary. The technical defence is necessary because most attempts are technical. The administrative route is necessary because most customers, occasionally, need a way back in. Removing either half is impractical. The discrepancy between them is, however, a fact about how the system actually works.

The work in this category is again administrative. It is about understanding, for the providers that matter, what their procedures presently allow, what additional safeguards they will agree to put in place for the principal's account, and how the principal would be alerted if such a request were made. The result is rarely a perfect defence; it is, in most cases, sufficient to ensure that the administrative path is not easier than the technical one.