Security products are usually demonstrated in the first five minutes of ownership. The phone is charged. The screen is intact. The face scanner recognises its owner. A credential appears with a satisfying animation.

The meaningful demonstration starts two years later.

The phone fell into the sea. The number was recycled. A cloud account is shared with a spouse the owner is trying to leave. The name on a government record changed but the bank’s record did not. The person has their password but not the old device; their document but not the email address; their face but not quite the face the enrollment camera remembers.

At that point, the recovery system becomes the identity system.

Recovery is governance

Passkeys, digital wallets and hardware-backed credentials can remove whole classes of attack. They can also make an account wonderfully easy to use on an ordinary day. But none abolishes the question of who restores access.

Recovery may depend on:

  • another device already signed into the same platform account;
  • a cloud-synchronised credential store;
  • a phone number and mobile network;
  • identity documents checked by support staff;
  • a bank branch, municipal office or employer;
  • trusted contacts or recovery codes;
  • creating an entirely new credential and convincing every relying party to accept it.

Each option is a governance choice disguised as a help screen. It decides which evidence outranks which, who may make an exception, and who can be locked out by a person with access to their household devices.

The safest default for whom?

“Ask the account owner” works badly when account ownership is itself contested. “Send a code to the phone” works badly after theft or coercive control. “Visit an office” may be a humane fallback for one person and an impossible journey for another. Social recovery distributes power, but it also reveals dependencies and assumes the social circle is safe.

There is no perfect answer. There are only threat models that admit whom they protect.

This suggests a better product review. Do not ask only whether enrollment resists fraud. Test the five ugly transitions:

  1. lost device;
  2. changed phone number;
  3. changed legal name;
  4. death or incapacity;
  5. escape from a controlling household.

A system that cannot explain these cases has not finished its security model. It has stopped at the happy path.

The constitutional layer

Recovery feels secondary because it is used less often. Constitutions are also used less often than ordinary procedures. Both matter most when normal authority breaks down.

Whoever controls recovery can override keys, records and prior consent. That actor may be a state, a platform, a bank, a group of friends or the user alone with a piece of paper. The choice can be reasonable. It cannot be absent.

The old phone is useful because it makes the hidden constitution visible. When the elegant credential is gone, whom does the system believe?

Further reading