7 Jul
2012
7 Jul
'12
5:30 p.m.
Hi Aaron,
On Sat, Jul 07, 2012 at 06:13:53PM +0100, Aaron B. Russell wrote:
Perhaps if, at the time of disabling password resets,
a customer was required to send in an image of a government ID that you could keep on file
and validate against, in case they ever did lock themselves out? I'm not sure how
happy people would be to do that, though.
I like this option far less than my suggestion that anyone who
wanted to disable password resets would have to upload a PGP or SSH
key first.
Most people can't be bothered with public key crypto, but if someone
is going to disable the one way they have to getting access when locked
out then perhaps they could be forced to bother.
Maybe I should just ask this question (off-list) of the few
customers who have disabled password reset and see what they
consider an appropriate level of security should the worst happen.
It doesn't affect the majority of you and I think people have
difficulty putting themselves into such a hypothetical situation.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting