CIAM (Customer Identity & Access Management) is where IAM meets real product constraints: conversion rates, support costs, fraud, privacy regulation, and at-scale reliability.
This page is vendor-agnostic by design: the concepts apply whether you use a homegrown stack or a CIAM platform.
Why recovery is the weakest link
Attackers target recovery because it often bypasses MFA and passkeys.
Recovery methods
- Email-based recovery (common, but protect against mailbox takeover)
- Device-bound recovery codes
- Support-assisted recovery (needs strict process + audit)
Controls
- Strong rate limits
- Step-up after recovery before sensitive changes
- Notifications for recovery events
Checklist
- Enumeration-safe flows
- Recovery tokens with short TTL
- One-time use links/codes
- Logging for investigations