Many businesses rely on a variety of online services as part of their computing infrastructure. Online services may be provided by one or more service providers. Some service providers provide online services to businesses by providing a responsible individual associated with the business with credentials that allow access to a master account. The master account is granted the ability to create subordinate accounts and user accounts for other responsible individuals and employees of the business. The master account is often one of the first accounts granted to the business, and the responsible individual may enable multifactor authentication, or take other measures to secure the master account. The holder of the master account creates the subordinate accounts used by the business, and through the course of business, business data is generated and maintained by the service provider. If a business user loses their credentials or leaves the company, the responsible individual associated with the master account may be able to reset the credentials to regain access to the business user's account.
However, asserting control from one account over another has inherent risks. How, for example, can the holder of the master account be sure that the person requesting a password reset is authorized to do so? In addition, if the credentials of the master account are lost, corrupted, or become inaccessible for some reason, there may be no other account under the control of the business that can reclaim the privileges granted to the master account. Requesting an account reset from the service provider again has similar risks associated with reestablishing trust between the requester and the service provider. For example, if the service provider attempts to authenticate that the requestor has access to the phone number and email associated with the account, an attacker may attempt to divert the phone number to a line controlled by the attacker. For at least this reason, the problem of reestablishing trust between a service provider and an account holder is a difficult problem.