tags:

views:

37

answers:

2
+2  Q: 

simple authentication scheme

I have an online registry of professionals with about 300 members. These are smart people, but non technical. Currently, if somebody forgets their email address, the system resends it to the email address they registered with.

The problem is that people change their email addresses over time, then forget their password, and can't receive the reminder.

I need to come up with a simple authentication system that allows people to recover their passwords even if they have changed email address.

I'm struggling to come up with anything that is even moderately secure that doesn't require the users email address.

Can anyone suggest anything?

+4  A: 

Keep their mobile numbers for SMSing-- those might change less often or at least not in tandem with email addresses.

Also consider handling this case via manual support if the user base is only 300; but if you do so, don't forget to be diligent in whatever your manual verification method is. :)

quixoto  2010-02-24 05:30:51
+1 for the manual option. How common could this be for 300 users?
Andrew Strong  2010-02-24 05:39:00
The client has said he doesn't mind dealing with this manually, so it's a good option. But I also like the mobile phone idea. I suspect for this group of users, mobile phones would be as, if not more, pervasive than email addresses, and probably more stable, as you suggest. Thanks.
nedlud  2010-02-24 05:49:20
A: 

The most common practice would be to introduce additional questions with registered answers, that would allow a user to reset their email address and password. (Though only one at a time and the second only after verification of the first).

For instance

In What City did you grow up? Where did you go to College.

Usually you would have a stack of questions, and let the user select 3 questions and you registered their answers. The key being not to ask the same 3 questions of everyone.

Development 4.0  2010-02-24 05:35:33

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security