Account security gets discussed as if it were a single thing — a strong password, two-factor authentication, done. But every account actually has two doors: the front door you use every day, and the recovery door you use when you're locked out. An attacker only needs to beat the weaker of the two. Spend all your effort hardening the front door and you've simply told them which way to go around.
This is the recovery paradox. The recovery path must be easy enough that a legitimate, panicked, locked-out user can get back in, and hard enough that a determined attacker can't. Those goals pull in opposite directions, and most services resolve the tension by erring toward "easy" — which is why recovery is so often the breach.
Security Questions: Don't
Knowledge-based recovery — your mother's maiden name, your first pet, the city you were born in — is the worst common method, and it persists mostly out of inertia. The answers are not secret. They are often public record, scrapeable from social media, or guessable for a target you know anything about. Worse, they're static: you cannot change where you were born after it leaks.
The U.S. NIST digital identity guidelines (SP 800-63B) explicitly discourage knowledge-based authentication of this kind. If a service forces you to set security questions, the standard advice from security practitioners is to treat the answers as random passwords — generate gibberish and store it in your password manager rather than answering truthfully.
SMS and Email Recovery: Better, But Inherited Risk
Sending a reset code to your phone or backup email is the most common recovery method, and it's a real improvement over security questions. But it inherits all the weaknesses of the channel it leans on.
For SMS, that channel is the phone network, which was never designed for security. SIM swapping — where an attacker socially engineers your carrier into porting your number to their SIM — turns "send a code to my phone" into "send a code to the attacker's phone." It is a well-documented, repeatedly exploited attack, especially against high-value targets.
For email recovery, the risk chains: if your recovery email account is itself protected only by a weak password and SMS recovery, an attacker who compromises it inherits the keys to everything that resets through it. This is why your primary email account deserves your strongest protection — it sits at the root of a recovery tree for dozens of other accounts.
Pick your most important account and trace what could reset it: a backup email? A phone number? Now trace what resets those. The root of that tree — usually your main email and your phone number — is your real attack surface. Harden the root, not just the leaves.
Backup Codes and Recovery Codes
Many services that offer two-factor authentication also generate a set of one-time backup codes — typically eight to ten strings you save when you enable 2FA. These are genuinely good: they're high-entropy, they don't depend on your phone number, and they work offline.
The catch is storage. A backup code is a skeleton key; anyone who finds it can bypass your second factor. Don't screenshot them into your camera roll (which often syncs to the cloud), don't email them to yourself, and don't paste them into a notes app. Print them and store them physically, or keep them in an encrypted vault separate from the account they protect.
The Hierarchy of Recovery Methods
| Method | Main weakness | Verdict |
|---|---|---|
| Security questions | Answers are public or guessable | Avoid |
| SMS code | SIM swapping, SS7 weaknesses | Last resort |
| Email reset | Only as strong as the email account | OK if email is hardened |
| Printed backup codes | Physical theft / careless storage | Good |
| Second hardware key | Cost; must be registered in advance | Excellent |
| Seed phrase (self-custody) | Lose it = no recovery, by design | Strong, unforgiving |
The Self-Custody Model: No Operator Reset
There is a fundamentally different approach that sidesteps the recovery paradox by removing the operator from the loop entirely. If the service provider cannot read your data — because it's encrypted with keys derived from a secret only you hold — then the provider also cannot reset it for you. There is no "email support to recover your account," because support has nothing to recover with.
In this model, recovery is your responsibility, and the tool is usually a recovery phrase: a sequence of words (often 12 or 24, following the BIP-39 word-list convention popularized by cryptocurrency wallets) that encodes the master secret. Whoever holds the phrase can recover the account; whoever doesn't, can't — not even the company.
The tradeoff is stark and honest: this design eliminates a whole class of attacks (no support agent to socially engineer, no operator-held reset to subpoena or breach) at the cost of being unforgiving. Lose the phrase and the data is gone for good. That is not a bug — it's the direct, unavoidable consequence of the operator genuinely not holding your keys.
For people whose threat model includes the service provider itself — journalists, activists, anyone worried about legal compulsion — this is the only model that actually delivers what privacy marketing usually promises. For others, the responsibility may be more than they want. Both are legitimate; what matters is knowing which one you're using. A useful technique for sharing the burden without a single point of failure is splitting the secret with Shamir's Secret Sharing.
A Practical Checklist
- Harden the root. Your primary email and phone number reset everything else — give them your strongest available protection.
- Replace security questions with random strings stored in a password manager.
- Prefer app-based or hardware 2FA over SMS wherever the option exists.
- Generate and physically store backup codes when you enable 2FA.
- Register a second hardware key if you rely on hardware keys, so losing one isn't a lockout.
- For self-custody services, treat the recovery phrase like the irreplaceable thing it is — offline, redundant, and never typed into anything but the recovery flow itself.
Haven uses the self-custody model deliberately: account recovery runs through a 24-word seed phrase you control, and we hold no operator reset — because a reset we could perform is a reset that can be compelled or stolen. It's the unforgiving option, and we think the honesty of it is the point. Whatever service you use, the lesson is the same: your security is exactly as strong as your weakest recovery path. Go find yours before someone else does.