Not really. Setting up a second factor is necessary for any kind of account reset or recovery. If you don't have anything that the user can provide or prove that they have exclusive access to, how else can you know for sure that it's really them doing the account reset?<div>
<br></div><div>That said, there are lots of things that you can use to substantiate that someone is who they say they are, each with their own idiosyncrasies and drawbacks:</div><div><br></div><div>* security questions</div>
<div>* secondary password</div><div>* token by email</div><div>* token by SMS</div><div>* voice confirmation/biometrics</div><div>* verify by phone call</div><div>* hardware key</div><div>* etc</div><div><br></div><div>The worst problem, though, is if someone forgets their OpenID altogether. That's where having a verified email address becomes really handy.</div>
<div><br></div><div>Chris</div><div><br><br><div class="gmail_quote">On Wed, Jan 14, 2009 at 3:42 AM, Cornelius Schumacher <span dir="ltr"><<a href="mailto:cschum@suse.de">cschum@suse.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
While looking for best practices for OpenID account recovery in cases where a<br>
user can't access to the OpenID provider which was used in his account, I<br>
came across this document: <a href="https://openid.pbwiki.com/Fallback-account-access" target="_blank">https://openid.pbwiki.com/Fallback-account-access</a><br>
<br>
I'm wondering, what the experience is with these kind of techniques. Alternate<br>
OpenIDs, Multiple-delegation, and email recovery using confirmed email<br>
addresses all require the user to set this up in advance before the problem<br>
occurs. So either the users are forced into e.g. confirming an email address<br>
or at least some of them don't have a chance to get access to an account<br>
again, if the associated OpenID provider goes down. Both doesn't seem to be<br>
optimal to me.<br>
<br>
Are there any alternative ideas how to handle account recovery for OpenID?<br>
<font color="#888888"><br>
--<br>
Cornelius Schumacher <<a href="mailto:cschum@suse.de">cschum@suse.de</a>><br>
_______________________________________________<br>
user-experience mailing list<br>
<a href="mailto:user-experience@openid.net">user-experience@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/user-experience" target="_blank">http://openid.net/mailman/listinfo/user-experience</a><br>
</font></blockquote></div><br><br clear="all"><br>-- <br>Chris Messina<br>Citizen-Participant &<br> Open Web Advocate-at-Large<br><br><a href="http://factoryjoe.com">factoryjoe.com</a> # <a href="http://diso-project.org">diso-project.org</a><br>
<a href="http://citizenagency.com">citizenagency.com</a> # <a href="http://vidoop.com">vidoop.com</a><br>This email is: [ ] bloggable [X] ask first [ ] private<br>
</div>