October 1, 2025

Account recovery processes often represent one of the weakest links in digital security. While organizations invest heavily in securing their primary authentication flows, recovery mechanisms often rely on what have proven to be easily compromised methods that criminals actively exploit:

  • Security questions that can be researched through social media
  • SMS codes vulnerable to SIM swapping
  • Email recovery processes that assume uncompromised accounts and devices are in place.

Account takeover attempts increasingly target recovery flows as the path of least resistance. Bank customers often abandon complex recovery processes, driving support costs higher as organizations handle manual interventions.

This blog will explore how science-based biometrics can keep your account recovery processes truly secure and user-friendly. Using a case study from Raiffeisen Bank, we’ll highlight how simple it can be to let genuine users effortlessly recover accounts while keeping fraudsters out.

The Account Recovery Crisis: A Real-World Case Study with Raiffeisen Bank

Raiffeisen Bank, an iProov customer based in the Czech Republic, serves 1.2 million+ monthly active mobile banking users in the Czech Republic. The bank faced a staggering operational reality: approximately 50,000 customers needed to reactivate their mobile banking every month — 4% of their entire customer base.

Initially, their recovery process seemed robust. Customers would log into internet banking via SMS OTP, enter a PIN, and activate mobile banking on their new device. The process appeared secure and convenient — until criminals systematically exploited its fundamental weakness.

Fraudsters launched sophisticated social engineering campaigns, impersonating bank officials and police to convince customers to provide internet banking access. They would then remotely activate mobile banking on the attacker’s device, enabling direct account access and fund theft.

Raiffeisen’s first countermeasure was adding explicit warning screens asking customers to confirm they genuinely wanted to activate mobile banking. The protection lasted exactly one month before criminals adapted their scripts to overcome customer hesitation.

The attacks became so severe that Raiffeisen completely disabled remote internet banking activation in October 2022, forcing all customers requiring reactivation to visit physical branches — a painful solution creating massive operational strain and customer frustration.

Why Traditional Recovery Methods Fail

Raiffeisen’s situation illuminated recurring vulnerabilities in conventional account recovery approaches. Traditional methods share a critical flaw: they authenticate access to various possession or knowledge factors rather than verifying the person’s genuine presence and identity.

Device-native biometrics create an additional problem often misunderstood by security teams. As Dominic Forrest, CTO of iProov, discovered when his teenage daughter registered her fingerprint on his phone using his known PIN: “What you’re really proving is not biometrics — it’s proof of knowledge of the unlock code of the phone at a point in time.”

Raiffeisen’s Transformation Results

Working with mobile banking onboarding specialist, Wultra, and best-in-class liveness provider, iProov, Raiffeisen developed a comprehensive reactivation process that validates the person through multiple layers, forming 5 core IDV steps:

  1. Initial customer identification (customer number and date of birth)
  2. SMS OTP for request throttling
  3. Document verification requiring ID card scanning plus passport or driver’s license
  4. Facial dynamic liveness detection to ensure genuine presence, comparing the live user against document photos
  5. Final SMS OTP combined with biometric verification token for regulatory compliance

See the “simplified” process flow diagram below:

Image 01 10 2025 at 15.34

The entire process is remote and completes in approximately 80 seconds, and can be executed immediately when customers need to bind new devices.

The answer lies in creating trust in the person rather than the device or something they may “know”. Science-based facial verification, underpinned by Dynamic Liveness and Flashmark™ technology, provides genuine presence confirmation, addressing three critical requirements: right person, real person, right now.

This is all supported by iProov’s dynamic threat detection through iProov’s Security Operations Center (iSOC) that continuously monitors traffic for attacks and rolls out 120+ updates per year without any disruption to the customer, providing evolving security.

The Results Show Significant Security and Operational Improvements:

Security Enhancement:

  • 97-98% success rate for legitimate customers completing biometric verification
  • A phishing-resistant process that cannot be completed remotely by attackers with compromised credentials
  • Protection against both digital injection attacks and physical presentation attacks

Operational Efficiency:

  • 25,000 users monthly successfully complete device-to-device activation transfers
  • 10,000-12,000 users monthly complete full document and biometric reactivation
  • Dramatic reduction in branch visits for activation purposes

The solution’s effectiveness extends beyond immediate security gains. The biometric infrastructure enables additional use cases, including transaction authentication for high-value activities like loan applications, step-up authentication for suspicious activities, and enhanced digital onboarding for new customers.

The Strategic Imperative

The shift from device-centric to person-centric authentication isn’t optional—it’s essential. As deepfake technology becomes increasingly accessible and traditional recovery methods face sophisticated attacks, science-based biometric verification provides the only scalable defense.

Raiffeisen’s journey from forced in-person branch visits to secure self-service remote recovery demonstrates that security and user experience can align rather than compete. With 50,000 customers monthly requiring reactivation, they needed a solution that worked at scale without compromising security.

The criminals have already adapted to exploit recovery process vulnerabilities. The question isn’t whether sophisticated attacks will target your organization, but whether your defenses will prove adequate when they do.

Couldn’t make it to Amsterdam? Raiffeisen Bank and iProov just revealed their blueprint for next-generation biometric security at Identity Management Europe 2025. We’ll share the full recap here. While you wait, discover how this partnership began — watch our previous conversation on transforming banking security for the digital age now.

Screenshot 2025 10 01 at 15.44.23
Table of Contents

Keep Reading