Fail secure: if you lose your email, your account is forever locked.
Fail safe: if you lose your email, your account is not forever locked. But, someone else might be able to get your account by pretending you lost your email.
There are no other choices.
When the electronic door controller loses power, either the door stays locked, or the door stays unlocked. In case of a fire you want it unlocked so people can get out. But then a burglar can cut the power to get in. Doors that stay permanently locked in a power outage are only permitted in extreme cases where security is of the utmost importance. Obviously Instagram accounts aren't as important as doors in a fire.
You could provide a delay feature… if you request this sort of reset, it takes 3 days, and emails are sent to the primary address every day with the count down. If your email isn’t lost, you would see these warnings.
You could let an account holder designate emergency contacts (other accounts) that are allowed to request a reset if you lose your primary email (again with a time delay to allow you to block malicious takeover attempts).
Recovery keys, security questions, real life identity proof, etc, are all other possible options, too.
The delay is quite a bother but it's surely better than account takeover. What I mind about the process is probably the lack of transparency - what combination of factors (MFA pieces, location, inactive time, ...) launches which process? I get that transparency might help attackers here but they're the ones to have the persistence to figure out the rules anyway. Smells like security through obscurity to me.
Having 1 or 2 backup email accounts and/or an SMS sent to a registered mobile phone number seems to me to be relatively simple to implement
Along with a built-in delay, the inconvenience of having to wait is way better than losing access to critical accounts
If you recover a microsoft account / submit a ticket to recover it and provide correct information, the active email gets an email letting them know about the request
You can deny it, or if you ignore it for 30 days the request goes through
Seems to be the best system IMO
The fun part is that you can't disable OneDrive. No matter how many times I turn it off it always keeps turning OneDrive back on to put my private data in the cloud for the attackers. Of course I can't block the methods that are obviously under attack either.
And the lack of a login history view means I have no way to know if they were successful yet. Support has never been good (for legitimate users) and is basically non-existent with AI now.
I would recommend you look at some other guides before you do this but the gist is My Account > Your Account > Manage Account Information. Then you can add a new email that you do not share as your primary login email, and disable login from the email you use to send emails.
However, I can use any of them to initiate a login attempt. I have my account set to passwordless, I don't know if that is relevant (every login attempt triggers an MFA prompt).
If I click on "Edit account info" I am taken to a page where I can choose which address in the "Primary", but given that ANY of the aliases can be used to intiate a sign-in, I don't see any benefit in changing that.
EDIT: I wasn't being adventurous enough. The option to change which aliases can be used to sign in is under (surprisingly) "Sign-in preferences".
In my defence, that page wasn't loading properly in Firefox with all my privacy add-ons enabled. I was able to access it in Edge.
EDIT2: I've changed my primary alias to a newly created one. If I am still able to sign in OK in a couple of days, I will disable the old primary for sign-in. I hope I don't live to regret this!
Would show any logins or security info updates etc
So there is no way to flag them as malicious and if you accidentally accept, then it’s already too late.
Pretty annoying setup.
That's a good measure, but it would fail for the attack scenario in TFA: the attacker claims their account was hacked, so presumably (if the support AI "believes" them) the notification email is compromised. If the account was hacked, you cannot let the one receiving the notification cancel your recovery attempt, which they will of course try to do. Of course in this exploit it's all a lie, but what if your account truly was hacked and your were genuinely trying to recover it?
Now I want to log in with the correct password, because it's been such a long time, it locks me out unless I give it 2 security answers. I've tried to reset it by email, it still locks me out on next login and asks for 1 security answer, I can't find any answer, I have no clue if it's case-sensitive and details like that. I went to an Apple store, they told me to contact the support, I have contacted the support, they can't do anything. Maybe my last hope is GDPR since I'm in the EU, have the account deleted.
I try to only depend on services which have this property. I don't succeed.
This comes back to haunt you in the future.
I'm not sure what alternative you are proposing. This only gets much, much worse when the aging person is trying to use a password...
Or you get elected to high office and consequently getting to the branch is a bit ... faffy[0]
[0] https://chicago.suntimes.com/pope-leo-xiv/2026/05/06/pope-le...
So humble that he was able to change his information over the phone by threatening directly to the president of the bank that he'd use a different bank if they didn't let him, and the president bent over backwards to meet this demand. He's just like us!
There's a whole wide age and knowledge/competence where older people can still fall for scams (or can't know if it's legit or a scam) but on the other hand are still capable to go to whatever office/bank they need to go.
Every time someone calls to say there's a problem with your account, you ask for their name and/or extension number, because recontacting through the institution is your only good way of verifying their identity.
I've encountered banks that don't have that setup — hilariously one bank felt the need to cold call me about my complaint about cold calling from unverifiable numbers. When I asked how I could call them on a verifiable number, they claimed I couldn't. :/
If some malware is that deep on the phone, able to redirect calls, then you've got much bigger problems and the attacker might not even need to trick any cooperation at all.
My wife is trying to sort something with a famous Irish airline who are well known for messing people around. She has LPA/POA for her mother but rather than the airline accepting the VCode (this is the UK) the airline are requesting to see the original POA certificate which is just ridiculous. They seem to be moving a little quicker now there is solicitor involved.
Given how much back and forth there has been it's probably cost the airline more than just refunding the amount at the first request. We'll keep going to prove a point.
Using the door and fire scenario, you can have manual opening method available, just make it only available on the inside.
I get that this also is technically a 2FA bypass but the cost is extreme and its really hard to impersonate someone in real life.
If it's not feasible, I can see an argument that large enough companies should be required to provide in person support options.
Facebook defintely has enough money to facilitate this.
The question is how much effort and authority is required to gain access through alternative means, not whether it's possible.
It's always a question of how much, insofar as kidnapping Mark Zuckerberg or winning an order from a Federal Judge are two of the possible scenarios.
Fail safe noisily and implement a cooldown period.
It would mean that someone can't gank an account from under you while you're using it, but you could recover it after a week if you lose access to your email.
Crazy Domains (one of the few registrars for my ccTLD) removed 2FA from my account (that was in the process of getting hijacked) despite me being on the phone with them specifically telling them not to do so [1][2].
What's worse was that my account got targeted by the same hijacker again when they seemingly changed their support system, and was hijacked for a few hours, leading to my Twitter account getting compromised (this happened around the same time fElon laid off a bunch of people and removed phone-based 2FA from accounts).
Fuck Crazy Domains and Newfold Digital (formerly known as EIG).
I eventually lost my OG username because fElon wanted it for his Grok nonsense anyway [3]. Fuck Elon too.
[1] https://news.ycombinator.com/item?id=47913341
If they didn’t care at all about your instructions the first time?
We needed to delete a storage volume to urgently free up space, and apparently this was locked in a way the storage vendor was required to act as a "second key" to ours to make the destructive action. We had never properly set this up, and I never had even logged into my "support" account with them before. They required two authorized contacts on our end for them to confirm the action.
The process was effectively my colleague handling the sev1 incident asking me to join their Zoom call. They asked for my 2FA and I said I never had one configured and obviously did not receive it since my e-mail was not setup with them. The (obviously outsourced) support rep decided just pasting the code into Zoom chat and then having me read it back to them was Good Enough(tm) and the process continued.
I was a little too surprised at this at the time to think about it too much. But the fact they could see the expected generated code, and type it in themselves into their system was at least interesting to me. Not quite sure how I feel about it, since this did indeed save us from a sev1 going sev0 - but overall it's obviously quite vulnerable to both social engineering and insider attack.
It's certainly a difficult tradeoff. Not sure I would hand that sort of "override" capability to someone who was was clearly a Tier 1 or 2 support rep - I'd probably bury it (but in a different manner) somewhere that required escalation to a higher authority but still could be done in timely (minutes, not hours) manner. Who knows though, as organizations scale this gets harder and harder.
Urgency.
Emotions.
It's all there, and high-stakes environments with no proper protocol are most vulnerable.
Source: used to work part-time in IT support at a hospital, by now 10+ years ago, so it was routinely requested to circumvent regulations and security protocols, even medical ones (cough Windows in ICU monitors and other medical "kiosk" PCs that should absolutely not run Windows)
Unfortunately Siemens woke up.
admin
Administrator
Horrific, people should be jailed for cyberattacks when they carelessly just give out this word.
The experiences I meant were mostly
- password reset requests (admittedly, we had a protocol even then to strictly require a "physical signature", normally meaning Fax or internal snail mail)
- medical protocols: don't wanna go into too much detail here, but:
1) Windows requires a lot of maintenance, often even hard restores, to function normally, even when sold as the UI for physical ICU monitors
2) Medical personell often is severely overworked, especially people in important, but not formally highly-qualified roles. And things like Surgery rooms and ICUs often have very slim time slots.
With the former, you should not enter into them without wearing appropriate clothing.
It doesn't prevent people working there from requesting you to finally come over and make that UEFI-Windows-Crapware-Kiosk-PC which was sold as a medical device boot... of course especially not when there is an ongoing surgery nearby. And of course, your higher-ups will be there to help you sort out these issues without violating protocols...
thankfully I didn't do careless things there and haven't witnessed IT-related disasters there. But still, I gave these examples for a reason :D
there was a healthy culture but some of the situations encountered in medical IT support should really require specialized, short-term training.
Keeping up rigorous hygiene protocols requires dedicated work by professionals, especially in a large hospital.
And the same argument can be made for account protection and user support for large software providers.
I highly advise that you download and backup any of your personal data on all your social media accounts for yourself and your loved ones. These large companies do not care about you beyond showing you ads for dropped shipped garbage from China and AI slop tiktoks.
Imagine an alternate universe where big tech companies worked with various trustworthy third-parties where something like this would generate a challenge you could take to your local notary, post office, library, police station, etc. where someone would check ID before approving it. How many phishing attacks would be prevented annually by a physical presence check?
Isn't this essentially what just recently happened to the Pope? Then there were people here doing the rest of your comment for him saying how egregious it was for them to ask for an in person authorization. It sounded like all he was trying to do was update his address, but changing your address from one in Chicago to one in a European country absolutely sounds like something a phisher would be trying to do.
I expect his Holiness might agree.
https://www.theverge.com/2013/5/2/4292744/facebook-trusted-c...
The cost of hiring a person is part of it but not really the core reason. People were sold on the Internet with "you can do things online conveniently" and reintroducing the need to physically go somewhere negates that angle entirely.
I do think friction causes a reflexive resistance to the idea but I think that might be an overreaction. This is a rare thing people should be doing no more than a few times in their life.
But how often does one need to do recovery procedures like this?
How much less convenient is it for everyone else to be at risk of their account being taken over?
The least terrible seem digital id.
How many bank tellers or USPS employees do that, though? It’s possible but quite rare because people know they’ll be running a big risk of being caught and no individual transaction is worth that much.
If you ever need to interact with the service again, you initiate account recovery using a combination of your contact info and some codes printed on your monthly bill.
I don’t recall why I had to go through this song and dance. Very plausibly the account was still associated with an old school address that I could no longer access. So yeah, account recovery is hard. How do you prove someone owns an account when they’ve lost the things they are supposed to use to prove ownership?
https://pages.nist.gov/800-63-4/
I think Meta just does not care if they're enabling AI attack surface and vulnerabilities into these customer journeys. It's...certainly a choice, versus deterministic journeys with hard guardrails. They could make different choices.
That only works because you presumably do KYC when you open accounts, so you have an identity to match to. Most internet accounts don't do real KYC, so a government credential doesn't really work for recovery --- they didn't know who you were, so proving who you are doesn't help anything.
That doesn't mean that letting anyone sweet talk support or an AI into taking over an account is acceptable, of course.
My point is that while this is not easy, there are obvious very bad ways to implement this that should not be done (chatbot or other generative AI interface vulnerable to the usual suspects of AI inherent attack surface). Don't build the bad way, the right away is known and straightforward.
It's an impressive level of incompetence.
Broadly speaking, work for the sake of work is not valuable work. Show me outcomes for resources and time invested, and compare accordingly. Value is, again broadly speaking (there is always nuance), what you deliver. If you bring me an AI solution for a high risk high value customer journey, data flow, or code path, that is an anti pattern. If you, as a colleague or a stakeholder, put forth that we must use AI in situations that require a high degree of determinism (due to potential high cost failure modes), you will need to prove this extraordinary claim with evidence.
Choose Boring Technology - https://news.ycombinator.com/item?id=9291215 - March 2015 (212 comments) ["Am I using this project as an excuse to learn some new technology, or am I trying to solve a problem?"]
I get paid to manage risk efficiently, including being measured on time and budget spent against the success criteria, ymmv; my comp and budget is not dependent on how much AI I shove into security systems. "What am I optimizing for?"
Amazon scraps AI leaderboard to stop workers chasing usage scores - https://news.ycombinator.com/item?id=48315583 - May 2026 (19 comments)
I am very curious about the actual number of users of login.gov.
I am a US citizen and my experience was … negative to the point of actively avoiding it.
"Login.gov has surpassed 100 million registered user accounts. The platform facilitates over 300 million sign-ins annually and sees more than 10 million monthly active users, acting as a secure single sign-on solution across nearly 50 federal, state, and local agencies."
https://www.login.gov/partners/faq/
(It is the primary identity provider for Social Security Administration, IRS will eventually adopt it [1])
[1] IRS to adopt Login.gov as user authentication tool - https://news.ycombinator.com/item?id=30430851 - February 2022 (182 comments)
I recently tried to access my google account on a new browser install. Google did not believe my login/password was sufficient, and insisted on me surrendering my phone number:
> To help keep your account safe, Google wants to make sure it’s really you trying to sign in [...]
> Enter a phone number to get a text message with a verification code.
I have never given my phone number to Google for that account (I have a separate account on my Android phone).
So how on earth this will "make sure it's really you" I have no idea.
I am unable to access Google from my new browser install so am stuck with using my old one for anything which requires a Google login.
I guess at some point I'll try and resolve it by adding a recovery email or something, but.. my inclination is to throw Google and the account in the trash right now.
The fact it can be removed by anyone is the problem. If you lose access to your 2FA (and recovery codes) then you should lose access to your account. Having it removable by anyone (other than a logged in account holder) defeats the entire point.
At least make it a major pain in the ass to recover like AWS, which requires some kind of notarised identity verification [1].
If you lose your password or 2FA, you should lose your account, too bad so sad.
Not saying it should be easy or routine, it should not be. But it must be possible.
I just save them in my password manager.
As best as I can tell, everyone I work with simply doesn't save them at all and initiates a password reset if they lose their password/2FA.
suddenly I was happy that low level support staff could remove it. (I needed to scan my passport and photo. This was way before modern image generation.)
The lack of account support is a safety feature, not a flaw. If your accounts are valuable to you, act like an adult and write down the recovery codes on paper.