Auth/SSO

AUTH-05

Account Recovery & Identity Verification Resistance

This control asks one thing: How does the organization verify a person's identity before resetting credentials, re-enrolling MFA, or restoring account access, especially for privileged users?

Low Maturity

What Failure Looks Like

The documented failure mode at level 0 (Absent) on the 0 to 4 maturity scale:

Helpdesk social engineering. An attacker with LinkedIn-level knowledge of an employee gets credentials reset and MFA re-enrolled onto their own device, bypassing every downstream control.

High Maturity

What Good Looks Like

The business value the methodology documents at level 4 (Optimized):

Converts the industry's most exploited attack vector into a demonstrable strength for cyber-insurance and client due diligence.

Next Step

A Typical Next Move

For programs sitting around level 0 (Absent), the methodology recommends this as the next rational step:

Publish a mandatory verification script for all reset types and start logging reset events with the verification method used.

What reaching level 2 (Developing) unlocks

Meaningful resistance to commodity helpdesk social engineering.

Evidence

Evidence Assessors Ask For

A sample of the artifacts an assessor expects to see around level 2 (Developing):

  • Callback / manager-attestation workflow enforced in tooling
  • Privileged resets require dual control
  • Recovery events alert the account owner on all registered channels

Breach Radar

Seen in Real Breaches

These teardowns of public incidents cite AUTH-05 as one of the controls that failed. Each one reconstructs the attack chain from public disclosures.

Compliance

Compliance Frameworks That Cite This Control

The bank's regulatory mapping for AUTH-05 resolves to 6 frameworks with a researched compliance threshold. Weakness here shows up in audits, not only in incidents.

Where Does Your Program Land on AUTH-05?

This page is the teaser layer. The full rubric behind AUTH-05 defines 5 scored maturity levels, 0 to 4, each with its own operating model, evidence expectations, and regulatory citations. That rubric is the scoring instrument, so it ships inside the assessment rather than on a marketing page. Running the assessment takes about 20 minutes and no signup is required to start.