Every identity control you run watches what happens after someone proves who they are. Conditional access, session scoring, posture checks, anomaly detection. All of it assumes an established identity with a history to compare against.
The password reset flow has neither.
The Door That Opens Before Detection
When a user resets a password or recovers an account, the system is talking to someone it can't yet trust. There's no session to score, no baseline to deviate from, no prior behavior to weigh. The control meant to re-establish identity is the one moment identity tooling goes blind.
Attackers know it. A convincing call to the help desk. A SIM swap. An abused self-service recovery flow. Each one reaches the account before there's anything to detect. By the time behavior looks anomalous, the reset already succeeded, and the new history starts from the attacker's session.
Recovery Is a Behavioral Question
The reflex is to harden the flow with more factors: security questions, step-up prompts, verification codes. But every added factor is a static check, and static checks are what a prepared attacker plans around. The reset moment deserves the same scrutiny as everything after it: who's asking, from where, in what pattern, and against what's already known about this identity across systems. Treating recovery as a behavioral question, not a form to complete, is the gap the industry hasn't closed.
Identity security has spent years getting sharper about what happens after login. Abnormal extends that behavioral model to the reset flow itself — so the blind spot shrinks before an attacker finds it.
See the latest from Abnormal's product and engineering teams.
