You’ve built login for your application—and even added 2FA—but what happens when a customer forgets their password, upgrades their phone, or otherwise gets locked out of their account? This session will show how to accommodate account recovery where the user has 2FA enabled while minimizing account takeover and support overhead. At Twilio, we provide a free consumer 2FA service via the Authy App. We’ve spent over seven years thinking about account recovery, refining the process, and designing our system to balance the support burden with necessary friction. I’ve tracked dozens of other account recovery procedures to learn how different companies attempt to re-verify identity. This talk will look at that research and outline best practices you can use given your customers’ risk. Security keys and app based authentication are great until the user loses the device but SMS 2FA is too insecure to use as the only account recovery mechanism. We’ll highlight how to build guardrails for your call center agents to minimize costs and delight customers. You’ll leave understanding the trade-offs of mechanisms for 2FA recovery (like government ID verification, forced waiting periods, security questions) and debating the value of recovery tokens. (CIAM, User Experience, Security, Architecture & Deployment, Consumer Identity, Kelley Robinson).