A resilient institution can lose a device, an office, a vendor or a key person without losing the right to act. Most cannot. Their continuity ultimately depends on a recovery witness: the assistant who knows which email was used, the adviser who can call the bank, the administrator whose voice a provider recognises, or the family member who can persuade support that the claimant is real.
This authority is rarely documented because it looks like helpfulness. In practice, it is a privileged control.
Recovery is a second identity system
The primary identity system asks for credentials. The recovery system asks for context: old addresses, known relationships, device history, documents, telephone numbers and human judgement. It is often weaker, more discretionary and more powerful than the front door.
An attacker studies it. An institution usually does not. That asymmetry explains why strong authentication can coexist with fragile recovery.
The witness problem
A recovery witness may be unavailable, conflicted, compromised or simply wrong. They may also possess more practical authority than their formal role suggests. If a former assistant can still validate a principal to three providers, termination did not remove their institutional power.
The answer is not to eliminate human judgement. Some exceptional cases need it. The answer is to turn the witness from an accidental dependency into a governed role.
Design a recovery quorum
- Name at least two eligible recovery witnesses from different relationship domains.
- Prevent any one witness from both initiating and completing a high-consequence recovery.
- Define which evidence each witness may rely on and which facts are never authenticators.
- Use a pre-agreed independent channel to confirm the recovery event.
- Expire witness authority when roles or relationships change.
For the most critical assets, add a cooling period or transaction restriction after recovery. Regaining an account should not immediately grant the full historic ability to move value.
The witness register
Record system, recovery route, eligible witnesses, independent evidence, prohibited evidence, completion authority, post-recovery restriction and last test date. Then test one route without warning the witness in advance. A recovery process known only as a diagram is not a recovery process.
Continuity depends less on whether backups exist than on whether the right people can prove the right to use them.
