Account recovery

Cornelius Schumacher cschum at
Wed Jan 21 16:22:49 UTC 2009

On Wednesday 14 January 2009, Chris Messina wrote:
> Not really. Setting up a second factor is necessary for any kind of account
> reset or recovery. If you don't have anything that the user can provide or
> prove that they have exclusive access to, how else can you know for sure
> that it's really them doing the account reset?

Yes, the main question for me is, which of the different methods fits best to 
OpenID and gives the best user experience.

> That said, there are lots of things that you can use to substantiate that
> someone is who they say they are, each with their own idiosyncrasies and
> drawbacks:
> * security questions
> * secondary password
> * token by email
> * token by SMS
> * voice confirmation/biometrics
> * verify by phone call
> * hardware key
> * etc
> The worst problem, though, is if someone forgets their OpenID altogether.
> That's where having a verified email address becomes really handy.

Right. So it seems, having a verified email address is almost a necessity, and 
using it for account recovery then as well seems sensible.

Cornelius Schumacher <cschum at>

More information about the user-experience mailing list