Passwordless security was hyped as the ultimate solution to compromised credentials, but hackers are already finding workarounds.
The real vulnerability doesn’t lie in the passwordless tech itself. According to Nokia Bell Labs researcher Sid Rao, who spoke at Black Hat 2025, the real danger is the account recovery process. Rao cautioned the crowd that “account recovery is the new breach path, and nobody’s paying attention.”
After auditing 25 major platforms, Rao’s team discovered that all of them were susceptible to attacks exploiting the recovery phase. The underlying cryptography is solid, but the way these recovery systems are designed leaves the door wide open.
When Recovery Undoes Security
In a passwordless setup, users sign in with passkeys, biometrics, or hardware tokens. But almost every major platform still keeps a recovery option that falls back to something weaker—like email links or SMS codes.
Rao’s team found systems that reused expired tokens, left “magic link” URLs active for hours, or allowed old passwords to unlock supposedly passwordless accounts. One site even let attackers reset admin credentials using a forgotten customer-support API.
“Users think they’ve gone passwordless,” Rao said. “But their accounts haven’t.”
The passwordless trend solved credential theft, but it didn’t solve human behavior. Recovery flows have become the path of least resistance for attackers because they’re designed for speed, not scrutiny.
Help desks still verify identity with caller ID. Chatbots still ask “personal” questions anyone can guess. And automated recovery systems often don’t verify that the person resetting an account is the account owner.
The result is a quiet crisis of convenience: frictionless design that keeps breaking security in the same old ways.
Rethinking the Lifecycle
Rao’s team calls for what they term identity lifecycle security—treating login, recovery, and revocation as one continuous process. Some large vendors, including Microsoft and Google, are beginning to tie recovery keys to hardware-based devices instead of emails or phone numbers.
“The goal isn’t to remove passwords,” Rao said. “It’s to remove weak recovery.”
He urged companies to red-team their own recovery processes. “If an attacker can use it faster than your users can,” he said, “you don’t have security—you have an exploit.”
Passwordless authentication https://documentation.nokia.com/fabric-services-system/25-8/books/user/user-password-management.htmlmay stop phishing, but recovery flows can still hand attackers the keys. In Rao’s words, “Attackers don’t break passkeys. They reset them.”
As passwordless adoption spreads, the next big breach might start with the oldest trick in the book: helping someone log back in.
