Zurück zur Startseite

MFA Recovery: When the Second Factor Undermines Protection

Published April 6, 2026 · Reading time approx. 6 minutes

Dr. Alexander Krause
Dr. Alexander Krause IT Security Consultant & Researcher at CISPA Helmholtz Center for Information Security

Multi-factor authentication is one of the most effective defenses against account takeovers. But what happens when you lose the second factor — a broken phone, a deleted authenticator app, a hardware token that's gone missing? A study presented at ACM CCS 2023 set out to answer exactly that: How well does MFA account recovery actually work? The findings aren't encouraging.

Two Phases, One Question

The research team tackled this in two steps.

Phase one analyzed the help and support pages of 1,303 websites that offer MFA, looking at whether and how these services document the recovery process. Phase two was hands-on: the researchers created real accounts on 71 websites, enabled MFA, and then simulated losing access to the second factor. Could they get back in? Under what conditions?

One in Four: No Documentation at All

24.64% of the analyzed websites simply didn't document MFA recovery. No help article, no FAQ, nothing.

Where documentation did exist, it was often scattered across three or more separate help pages — without clear structure, sometimes with contradictory information. The study identified 17 distinct recovery procedures across all sites. Some websites combined several of them; others offered just one path.

Here's the real kicker: not a single website's documentation fully matched the actual recovery experience. Not once. For users, this means they can't rely on whatever instructions they find.

What Does a 52% Success Rate Really Mean?

Of the 71 tested accounts, the researchers regained access to 37. At first glance, 52.11% sounds passable.

Look closer and it falls apart. In most recovered cases, email access alone was enough to regain the account. The entire MFA security model effectively collapsed to email security. That's a fundamental problem. The whole point of MFA is to prevent a single compromised factor — like a hacked email account — from being sufficient for access.

Control someone's email, and you can bypass MFA on a disturbingly large number of services.

Why Do Backup Codes Fail Nearly Half the Time?

Backup codes are the standard fallback for MFA. The study configured them on 39 of the 71 websites. Result: only 56% of those accounts could actually be recovered using the codes.

Why the gap? Some websites demanded additional verification steps that were documented nowhere. Others flat-out rejected their own backup codes. A few had silently invalidated the codes without notifying users.

If backup codes fail nearly half the time, can you actually count on them?

Warnings — or the Lack Thereof

Only 22.54% of websites warned users during MFA setup about the risk of losing account access if the second factor is lost. Three out of four services let users enable MFA without mentioning what happens when a device goes missing.

Some websites took a peculiar approach. They explicitly warned that recovery would be impossible — then allowed recovery anyway. That sounds like a good outcome, but it creates confusion and erodes trust in security communication. If a service claims no recovery is possible, technically savvy users might not even try — even though it would've worked.

Why Is There No Unified MFA Recovery Standard?

The study found 17 different recovery procedures. Email-based recovery links, SMS codes, backup codes, support tickets with identity verification, waiting periods, alternative second factors, phone support — the list goes on.

No unified standard means every service handles it differently. Users with MFA on many platforms face a patchwork of processes. For enterprise IT administrators, this is a nightmare — they need to know these processes and act fast in an emergency.

What Can We Learn From This?

The authors propose four categories of recommendations:

  • Prepare: Collect recovery information during MFA setup and store it securely. Generate backup codes, register alternative second factors, verify recovery email addresses.
  • Communicate: Providers must document the recovery process clearly, completely, and in one place. Spreading information across multiple help pages with inconsistent details is counterproductive.
  • Maintain: MFA configurations and recovery options need regular review. Silently expiring backup codes without notification shouldn't happen.
  • Recover: Websites should actually follow their documented procedures. And users shouldn't wait for a real emergency to test whether recovery works.

What This Means for Organizations

For organizations deploying MFA for employees or customers, this study surfaces clear action items. Rolling out MFA without thinking through recovery is setting yourself up for trouble. That starts with documentation and ends with regular testing of your own procedures.

One particularly critical finding: if the recovery process reduces MFA security to email security, the entire security concept is undermined. Organizations should evaluate whether their third-party services and internal systems implement recovery procedures that don't negate the security benefits of MFA in the first place.

The full study is freely available: Klivan et al., "'We've Disabled MFA for You': An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery Deployments", ACM CCS 2023.

This article is an AI-generated summary of the scientific publication "'We've Disabled MFA for You': An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery Deployments" (ACM CCS 2023). The content has been editorially reviewed.

Want to review your organization's MFA implementation? Contact me for a security analysis of your authentication processes.