Put on your social engineer hat!
I'm looking for input on the best practices for dealing with a user who has misplaced their username, password, or lost access to their e-mail.
To sum up:
e-mail address + e-mail account access = username + password
e-mail address + birthdate = username
username + password = login
username + security question answer = login
log-in + password = change e-mail account association or password
Now, it isn't unreasonable to assume an attacker could guess someone's login name and e-mail address. If they have a blog like LJ, they might even have their birthdate conveniently displayed on their Info page. So the only real security is their password or security question's answer. We lock the account after 3 or 5 bad login attempts and require that it be unlocked by responding to an e-mail, as e-mail account access already = username + password, so confirming access to an e-mail account is as good as having the username and password.
Username associated e-mail addresses are not public, although people might be able to guess it (if they make it known to be an address they use in a message associated with their username, like in a message board or such). Knowing their birthday will confirm that that is their e-mail address.
Maybe I should use the e-mail address AND security question AND birthday to reveal the username? Gah, I need to chart this all out, but my brain doesn't work well until the sun goes down. Anyway, anyone have any comments or suggestions?
- If they forget their username: enter e-mail address, we'll send it there.
- If they forget their password: enter their username or e-mail address, we'll set it to a random string, e-mail the string, and require that they change it on login.
- If they forget both: do both of above. We don't send both in the same e-mail to reduce the value of a single e-mail being read by Eve or Mal (not the intended recipient).
- If they lose access to their e-mail account: Log in and change the associated e-mail address.
- If they lose access to their e-mail account AND forget their username: Enter their e-mail address, and we ask for their birthdate. Answer correctly and we provide their username.
- If they lose access to their e-mail account AND forget their password: Enter their username, and we prompt with their security question. Answer correctly and we log them in and require a password change.
- If they lose access to their e-mail account AND forget their username AND password: Tough luck.
- To change e-mail address: Log in and change in "Account management"- we notify previous address of change.
To sum up:
e-mail address + e-mail account access = username + password
e-mail address + birthdate = username
username + password = login
username + security question answer = login
log-in + password = change e-mail account association or password
Now, it isn't unreasonable to assume an attacker could guess someone's login name and e-mail address. If they have a blog like LJ, they might even have their birthdate conveniently displayed on their Info page. So the only real security is their password or security question's answer. We lock the account after 3 or 5 bad login attempts and require that it be unlocked by responding to an e-mail, as e-mail account access already = username + password, so confirming access to an e-mail account is as good as having the username and password.
Username associated e-mail addresses are not public, although people might be able to guess it (if they make it known to be an address they use in a message associated with their username, like in a message board or such). Knowing their birthday will confirm that that is their e-mail address.
Maybe I should use the e-mail address AND security question AND birthday to reveal the username? Gah, I need to chart this all out, but my brain doesn't work well until the sun goes down. Anyway, anyone have any comments or suggestions?