BEGIN:VCALENDAR VERSION:2.0 PRODID:-//pretalx//pretalx.com//bsides-exeter-2026//talk//YNPP3Z BEGIN:VTIMEZONE TZID:GMT BEGIN:STANDARD DTSTART:20001029T030000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10 TZNAME:GMT TZOFFSETFROM:+0100 TZOFFSETTO:+0000 END:STANDARD BEGIN:DAYLIGHT DTSTART:20000326T020000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3 TZNAME:BST TZOFFSETFROM:+0000 TZOFFSETTO:+0100 END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT UID:pretalx-bsides-exeter-2026-YNPP3Z@pretalx.com DTSTART;TZID=GMT:20260425T122000 DTEND;TZID=GMT:20260425T130000 DESCRIPTION:Teams keep hardening login. MFA is standard\, SSO is common\, a nd passkeys are rising. Yet account takeover still happens\, because attac kers rarely attack the strongest part of the system. They go around it.\n\ nAccount recovery is now one of the easiest paths to takeover. It is often weaker than login\, treated as a one-off feature\, and rarely threat-mode led after the first release. Password reset is only the visible surface. T he real risk is the recovery chain including reset links\, email changes\, MFA reset paths\, session invalidation\, and subtle UX signals that revea l too much.\n\nThis talk breaks down the production failure modes that tur n recovery into a bypass. User enumeration through content and timing diff erences. Reset tokens that can be replayed or are scoped too broadly. Toke ns leaking through link previews\, logs\, and instrumentation. Weak thrott ling that either does nothing or punishes real users. Missing post-reset c leanup that leaves attacker sessions alive even after the victim changes t heir password.\n\nYou will leave with a practical hardening checklist you can take back to your product. Patterns for safe messaging\, token lifecyc le\, rate limiting\, monitoring signals\, and a post-reset shutdown sequen ce that closes the gap without breaking UX. DTSTAMP:20260501T081647Z LOCATION:Auditorium SUMMARY:Stopping account takeover at the recovery layer - Viola Lykova URL:https://pretalx.com/bsides-exeter-2026/talk/YNPP3Z/ END:VEVENT END:VCALENDAR