Account recovery

Chris Messina chris.messina at
Wed Jan 14 22:38:47 UTC 2009

Not really. Setting up a second factor is necessary for any kind of account
reset or recovery. If you don't have anything that the user can provide or
prove that they have exclusive access to, how else can you know for sure
that it's really them doing the account reset?
That said, there are lots of things that you can use to substantiate that
someone is who they say they are, each with their own idiosyncrasies and

* security questions
* secondary password
* token by email
* token by SMS
* voice confirmation/biometrics
* verify by phone call
* hardware key
* etc

The worst problem, though, is if someone forgets their OpenID altogether.
That's where having a verified email address becomes really handy.


On Wed, Jan 14, 2009 at 3:42 AM, Cornelius Schumacher <cschum at>wrote:

> While looking for best practices for OpenID account recovery in cases where
> a
> user can't access to the OpenID provider which was used in his account, I
> came across this document:
> I'm wondering, what the experience is with these kind of techniques.
> Alternate
> OpenIDs, Multiple-delegation, and email recovery using confirmed email
> addresses all require the user to set this up in advance before the problem
> occurs. So either the users are forced into e.g. confirming an email
> address
> or at least some of them don't have a chance to get access to an account
> again, if the associated OpenID provider goes down. Both doesn't seem to be
> optimal to me.
> Are there any alternative ideas how to handle account recovery for OpenID?
> --
> Cornelius Schumacher <cschum at>
> _______________________________________________
> user-experience mailing list
> user-experience at

Chris Messina
Citizen-Participant &
 Open Web Advocate-at-Large # #
This email is:   [ ] bloggable    [X] ask first   [ ] private
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the user-experience mailing list