Account recovery

Chris Messina chris.messina at
Wed Jan 21 19:17:44 UTC 2009

On Wed, Jan 21, 2009 at 8:22 AM, Cornelius Schumacher <cschum at> wrote:
> On Wednesday 14 January 2009, Chris Messina wrote:
>> Not really. Setting up a second factor is necessary for any kind of account
>> reset or recovery. If you don't have anything that the user can provide or
>> prove that they have exclusive access to, how else can you know for sure
>> that it's really them doing the account reset?
> Yes, the main question for me is, which of the different methods fits best to
> OpenID and gives the best user experience.

I think it depends on your audience. Depending on the kind of site you
have, and how necessary reliable customer access is, your methods will

Email is probably baseline, since just about everyone has one and
knows theirs -- but SMS certainly would be a nice to have -- and for
more social sites, you could also do, heck, Twitter -- have the user
follow your Twitter account from their account (if they have one) and
if they ever forget their password, send them a direct message with a
one-time access token.

Again, your account reset mechanism should probably be based on what
will work for your audience.

>> That said, there are lots of things that you can use to substantiate that
>> someone is who they say they are, each with their own idiosyncrasies and
>> drawbacks:
>> * security questions
>> * secondary password
>> * token by email
>> * token by SMS
>> * voice confirmation/biometrics
>> * verify by phone call
>> * hardware key
>> * etc
>> The worst problem, though, is if someone forgets their OpenID altogether.
>> That's where having a verified email address becomes really handy.
> Right. So it seems, having a verified email address is almost a necessity, and
> using it for account recovery then as well seems sensible.

Generally I would say yes, with the caveat that many younger folks
don't really use email all that much. I think they use SMS a lot more,
and then use messaging within MySpace, Facebook and others.

Perhaps email is something that you have to have in order to sign up
and access sites, but I'm not sure, again, that that's true for all
audiences. I think more research is necessary in this area, and in
specific applications.


Chris Messina
Citizen-Participant &
  Open Web Advocate-at-Large # #
This email is:   [ ] bloggable    [X] ask first   [ ] private

More information about the user-experience mailing list