8 Jul
2012
8 Jul
'12
1:46 p.m.
On 08/07/2012 12:58, Mathew Newton wrote:
<snip> so perhaps the control panel could allow
users to enter a question and answer that only they could know? I'm
thinking along the lines of 'What make was your first computer' type of
thing but this bit is key: let the user decide the question so they can
make it as secure (private/obscure) as they like as some of the stock
questions often asked are usually quite weak (e.g. mother's maiden name).
I like this idea and second the not using stock questions. The number
of websites where I have had to put my mother's maiden name and name of
first pet, I don't consider them to be secure any more (not that
mother's maiden name is secure against a targeted hack - it's a public
record). I had issues when completing the answers to some of the set
questions when configuring the password reset mechanism for my account
at work as many of the questions were not something I could give a
single definitive answer to.
For what it's worth, I'm not keen on the
methods suggested that could take
time to complete and carry other restrictions e.g. coded bank payments,
Skype calls, scanned utility bills etc and would prefer following the KISS
principle as much as possible.
While I think that the use of bank payments could still be a useful
method in conjunction with some other identification, I agree that
scanned images of bills and/or passport/driving licence are easily
edited or faked (at least as far as could be verified by Andy). A
previous suggestion (from Andy?) about needing to upload a PGP/SSH key
in order to disable the password reset email option sounds sensible to me.
Gavin