2026-04-25 –, Auditorium
Teams keep hardening login. MFA is standard, SSO is common, and passkeys are rising. Yet account takeover still happens, because attackers rarely attack the strongest part of the system. They go around it.
Account recovery is now one of the easiest paths to takeover. It is often weaker than login, treated as a one-off feature, and rarely threat-modeled after the first release. Password reset is only the visible surface. The real risk is the recovery chain including reset links, email changes, MFA reset paths, session invalidation, and subtle UX signals that reveal too much.
This talk breaks down the production failure modes that turn recovery into a bypass. User enumeration through content and timing differences. Reset tokens that can be replayed or are scoped too broadly. Tokens leaking through link previews, logs, and instrumentation. Weak throttling that either does nothing or punishes real users. Missing post-reset cleanup that leaves attacker sessions alive even after the victim changes their password.
You will leave with a practical hardening checklist you can take back to your product. Patterns for safe messaging, token lifecycle, rate limiting, monitoring signals, and a post-reset shutdown sequence that closes the gap without breaking UX.
This session treats account recovery as privileged access, not a simple form. It breaks down the most common real-world failure modes that turn password reset into an account takeover path, then replaces them with concrete patterns that teams can implement and test. The focus is defensive engineering with enough threat awareness to make the mitigations stick. No tool worship, no theory-only talk, and no step-by-step exploitation. It is a builder-friendly map of where recovery breaks and what good looks like.
Viola Lykova is a senior software engineer and SRE focused on authentication reliability and security in production systems. She has delivered over 5 community talks across webinars and in-person events including Cypress, Community Stack AWS user group, Ministry of Testing London, and London DevSecOps, and she is scheduled to speak at IOActive Hack Soho in March 2026. She is an AWS Community Builder in the Security category and a Cypress Ambassador. Viola runs weekly hands-on open-source workshops building Snappycart with contributors and publishes educational software engineering and security content on YouTube.