In cases when an app has functionality to have alternate access/login methods and the app does not enforce verification while signup, an adversary can signup on behalf of the user and install said backdoor access method. Now, when the user does login, he has to recover the account. Attacker then maintains access through the backdoor method.