Sunday, March 25, 2018

What is best practice for a forgotten login email address?


It seems as though all the major sites that use an email as a login only allow for forgotten passwords. Looking to find how users can recover an account when they have forgotten their login email.


At the moment I have a link to a page that allows 5 attempts and after the 5th failed attempt they can make contact with a person for verification. Is there a security issue with this?



Answer




You can break up the entry of the username/email address and password into two phases with an appropriate prompt depending on whether the user has already successfully entered their username/email address or not.


For instance, on CapitalOne's website there is a "Forgot ID or Customer #?" link before the form entry initially, followed by a "Forgot Password?" link once you've successfully entered your ID. On gmail.com, there is a "Need Help?" link before you successfully enter your username/email address that becomes "Forgot Password?" once you've entered it.


For security purposes, I would block too many failed login attempts (even invalid email attempts) as it sounds like you are, but allow a user to click some sort of "Need Help?" link for support logging in at any time, not just after 5 failed attempts. (Gmail, for instance, uses a recovery email or phone number set at registration to support forgotten usernames/email addresses.)


No comments:

Post a Comment

technique - How credible is wikipedia?

I understand that this question relates more to wikipedia than it does writing but... If I was going to use wikipedia for a source for a res...