Users are human. They lose or break physical items, forget memorized secrets, and fat finger their email addresses on registration forms. Any of these can lead to loss of access for a customer, triggering account recovery. How exactly do you assess account recovery mechanisms for suitability in your environment? What are the tradeoffs between different mechanisms? How can we nudge users to do the “right” thing? We’ll review a framework for understanding Account Recovery providing a mechanism for teams to reason about their own account recovery mechanism’s suitability.