cschum at suse.de
Wed Jan 21 16:22:49 UTC 2009
On Wednesday 14 January 2009, Chris Messina wrote:
> Not really. Setting up a second factor is necessary for any kind of account
> reset or recovery. If you don't have anything that the user can provide or
> prove that they have exclusive access to, how else can you know for sure
> that it's really them doing the account reset?
Yes, the main question for me is, which of the different methods fits best to
OpenID and gives the best user experience.
> That said, there are lots of things that you can use to substantiate that
> someone is who they say they are, each with their own idiosyncrasies and
> * security questions
> * secondary password
> * token by email
> * token by SMS
> * voice confirmation/biometrics
> * verify by phone call
> * hardware key
> * etc
> The worst problem, though, is if someone forgets their OpenID altogether.
> That's where having a verified email address becomes really handy.
Right. So it seems, having a verified email address is almost a necessity, and
using it for account recovery then as well seems sensible.
Cornelius Schumacher <cschum at suse.de>
More information about the user-experience