@Im-Hal-9K found that the identity verification process used during account recovery could be circumvented in specific cases. GitHub users can verify their identity using SSH keys that are associated with their account. However, SSH keys that were created by an OAuth application were also allowed for this process. We addressed this in our SSH verification tooling by rejecting verification by keys that were created by OAuth applications.