chris.messina at gmail.com
Wed Jan 14 22:38:47 UTC 2009
Not really. Setting up a second factor is necessary for any kind of account
reset or recovery. If you don't have anything that the user can provide or
prove that they have exclusive access to, how else can you know for sure
that it's really them doing the account reset?
That said, there are lots of things that you can use to substantiate that
someone is who they say they are, each with their own idiosyncrasies and
* security questions
* secondary password
* token by email
* token by SMS
* voice confirmation/biometrics
* verify by phone call
* hardware key
The worst problem, though, is if someone forgets their OpenID altogether.
That's where having a verified email address becomes really handy.
On Wed, Jan 14, 2009 at 3:42 AM, Cornelius Schumacher <cschum at suse.de>wrote:
> While looking for best practices for OpenID account recovery in cases where
> user can't access to the OpenID provider which was used in his account, I
> came across this document:
> I'm wondering, what the experience is with these kind of techniques.
> OpenIDs, Multiple-delegation, and email recovery using confirmed email
> addresses all require the user to set this up in advance before the problem
> occurs. So either the users are forced into e.g. confirming an email
> or at least some of them don't have a chance to get access to an account
> again, if the associated OpenID provider goes down. Both doesn't seem to be
> optimal to me.
> Are there any alternative ideas how to handle account recovery for OpenID?
> Cornelius Schumacher <cschum at suse.de>
> user-experience mailing list
> user-experience at openid.net
Open Web Advocate-at-Large
factoryjoe.com # diso-project.org
citizenagency.com # vidoop.com
This email is: [ ] bloggable [X] ask first [ ] private
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the user-experience