Example scenario in an ASP.NET application using SQL Server membership provider :

1) a user can’t remember their exact password, and tries many times in a short space of time to login with an invalid password (say 5 times in a 10 minute window). This locks out the user (i.e. sets the IsLockedOut flag of the aspnet_Membership table to 1).

2) user goes to the “forgot my password” screen to try to get a new password emailed to them. This screen uses the PasswordRecovery control. User enters their correct user id, but then cannot go further in the password recovery process, since the IsLockedOut flag is 1. (They don’t even get to see their security question).

3) The user would then have to phone tech support to get themselves unlocked etc.

To reduce the burden on support staff, we are trying to reduce the times step 3 is required, by making the PasswordRecovery control (if possible), work with locked out users. i.e. when they enter their login ID, the security question comes up, and IF they enter the correct answer, the system will unlock the user, and email the new temporary password to them. I’m wondering if it is possible to tweak the PasswordRecovery control to do this. Or maybe this approach has security issues ?