Account recovery based at least in part on user authentication other than traditional credentials (i.e. username and password) may be desirable in at least two scenarios. The first scenario is when a user is unable to provide the correct password (because he/she forgot it or because it was changed by an attacker who accessed his/her account). The second scenario is when a user is attempting to authenticate in a suspicious manner (e.g. from a location he has never logged in from before) or has already authenticated and is behaving in a suspicious manner (e.g. by trying to then change the account's password and access options).
In these two scenarios, traditional credentials (e.g. passwords) alone are insufficient to prove a user's identity. Service may offer users the ability to configure additional out-of-band contacts (e.g., alternate email addresses, phone numbers) with which the user can prove his identity. However, a first problem is that many users do not configure these or may not have access to those channels anymore, and a second problem is that, in the situation where a malicious attacker has gained access to the user's initial account, the service provider cannot be certain that the attacker has not changed the additional out-of-band contacts and/or does not have access to the additional out-of-band endpoints.