If you follow the pattern of allowing users access to your application without having confirmed an email (generally considered good UX), how do handle the case where they forgot their password? Very important in this particular case as the site includes personal health information.
Clearly, sending them an email with instructions to reset it is not appropriate, as their email is not yet verified. I came up with four solutions, but like none of them.
Freeze a user out after, say, 1 week if they haven't confirmed their email. Then, during this one-week grace period, they cannot recover their email. (Somewhat problematic because it's a security issue to reveal whether an email address is registered during forgot password, so we'd be unable to actually communicate that password reset is unavailable to them based on not having confirmed).
Add "security question" to signup. Bad for fairly obvious reasons.
Just not let them use the site without confirming their email. Also bad.
Just let them recover their password even without a confirmed email, but add some text in the site "if you haven't confirmed your email, someone could get access to your private health information." This would show in a banner at the top of the screen until they register, and have the option to have the email re-sent to any email address they choose. This might be the worst security case of all.
Any ideas?
No comments:
Post a Comment