human-memorable but high-entropy recovery factor
Aniket Personal
Hello,
I have been researching security gaps that can appear during passkey recovery workflows, particularly in situations involving:
compromised cloud-sync accounts
lost or stolen devices
SIM swap attacks
recovery email compromise
malware on trusted devices
While passkeys significantly strengthen primary authentication, many recovery flows still rely on fallback mechanisms such as email OTP, SMS OTP, or synced account recovery. In certain attack scenarios, the effective security of the account may ultimately depend on the security of those recovery channels.
To explore this problem space, I designed a visual-password-based recovery mechanism intended to work alongside passkeys rather than replace them.
The goal is to introduce a human-memorable but high-entropy recovery factor that:
can supplement email OTP and SMS OTP during recovery
reduces dependence on weak fallback-only recovery
avoids some usability issues associated with long seed phrases in crypto wallets
increases attacker difficulty during account recovery attempts
remains usable when the primary authenticator device is unavailable
The concept is aimed specifically at recovery assurance and account takeover resistance, not replacement of WebAuthn or existing passkey infrastructure.
I would greatly appreciate feedback from the community regarding:
threat modeling considerations
usability tradeoffs
interoperability with passkey ecosystems
recovery assurance implications
possible limitations or attack surfaces
whether this category of recovery factor could help improve resilience in modern authentication systems
I’m particularly interested in perspectives from those working on:
passkey recovery
identity assurance
synced credential ecosystems
authentication UX/security
Thank you for your time and feedback.
Regards,
Aniket Deshpande