Lost & Found: The Hidden Risks of Account Recovery in a Passwordless Future
This repository contains the Account Recovery Threat Heuristic Auditing (ARTHA) Framework, the user account recovery auditing framework that is presented at Black HAT USA 2025 as part of the talk Lost & Found: The Hidden Risks of Account Recovery in a Passwordless Future along with other useful resources.
If you find our work useful, and want to cite our work, use the following style:
Rao, Siddharth Prakash; Sonkeri, Gabriela; Bourdoucen, Amel; Lindqvist, Janne, "Lost & Found: The Hidden Risks of Account Recovery in a Passwordless Future" in Black Hat USA Conference 2025. Available online: https://www.blackhat.com/us-25/briefings/schedule/#lost--found-the-hidden-risks-of-account-recovery-in-a-passwordless-future-46431
- If you are conducting audit of account recovery of a single website or prefer flat markdown files over spreadsheets, head over to the Test Suite folder
- If you are conducting audits of account recovery of a multiple website and prefer tabulated spreadhseets (for summary stats or other purposes), head over to the work book file
- Slide decks (presentation and handout versions) and the whitepaper is available in the Presentation Materials folder.