I am designing a website for a college oriented website and have some trouble designing the business logic behind the “forgot login” sequence.
A user is registered through their college email so if they forget their password they can have it emailed to their college email. However the problem is a user can return after college when they no longer have this email and attempt to login. If they forgot their password it cannot be emailed because they no longer have this email.
My boss wants me to implement a system to ask a few identifying questions such as first/last name, dob, and “favorite” questions which they answer on their initial login. This seems really bad to me because 1) this is “wish it was” security and 2) the website holds extremely personal information
Does anyone have any ideas or better implementations for this? One thing I considered was asking them for a secondary email on their initial registration, but I am wondering what else is out there. Also am I accurate to cringe at the desired security implementation?
Thanks
even if you obtain a second email address, you may find users that forgot it or changed it since they left college.
You said you store very personal information in your application. You should use it to your advantage. You can ask the user to provide 2 or 3 pieces of personal information and verify it against what you have in your system.
This in conjunction with the security question should give you enough security.
Also, please make sure you limit the number of attempts before you lock the user out for a period of time. You don’t want people trying to guess the answers to the identifying questions.
I hope this helps. Good luck!