Password reset with lost email functionality

Is there a design pattern whereby we can have the user enter some information and be taken to a page where they can be allowed to change the email address to send the reset link? BTW, we do not want to use/store security questions.

We have a unique situation. When a user registers an account and uses their company-based email as the main email account, how can we implement a forgot password scheme if they no longer work for that company and can’t access that email account?

We currently send an email with a reset link to their primary email account. Most do not have a secondary email address and we do not want them to be able to enter just any email address to send the link to.

How has this kind of thing been done before? I don’t know of any sites that do this because most of them require to send an email to the user’s account.

We do ask for business and cell phone numbers, plus several other identifying fields, such as Employer, Job Title. We used to ask for Last4SSN but have opened up for int’l. registrations so we no longer ask for that. We are asking more for what techniques to use to change a user’s EMAIL address if they do not remember their password. Some people don’t have cell phone numbers in their account so text messages to them is not viable and implementing something with secret questions now would not benefit the 300,000 users that we currently have.

I like the idea of them being able to choose which email (masked, of course) to send to but what if they only have one email address?

I’m leaning upon doing something like the credit bureaus do. They ask questions about your credit history like “You recently opened an auto loan on what type of vehicle?” Then they show you 4 vehicle types and you select one of them.

Thoughts?

I would venture you can follow the more and more common pattern (I’m thinking google/yahoo/fb) which has a wizard for the user to establish emergency recovery numbers.

You can create a couple fields for this - email, cell phone number, question/answer - and a flag on the accounts which tells your system to run them through the wizard which allows the user to set their values. This will handle new members AND existing members.

We don’t want to burden our existing users with this type of thing and it would mean modifications to our database to do it. I, personally, do not like Google’s way of doing this and think others just copied it because they are using it, not because it is preferable because it is intrusive.

If you’re going to say both 1 and 2 below are true, you’re kind of stuck. Asking arbitrary questions where people have to dig out paperwork to find the answer is even worse - what happens if they hand the paperwork over to someone else or it’s archived off site? You’ve got to provide them mechanisms which are clear and meaningful to them.

1. They may or may not have a cell phone
2. They may or may not have an alternate email address.

Just not doing something because you don’t want to make database changes is an odd choice for why you are or are not going to do things.

Know where I can find examples of how to do this?

DaveMaxwell, Do you know where I can find some example code for this pattern?

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.