I’m working on a web applications where – believe it or not- the users aren’t required to provide their email address to sign up. These requirements can not change. The users will login to the system with an id and password just like any standard web site. The problem I’m facing has to do with user’s that have forgotten their password. When they want to generate a new one, how do I verify their identity?
Initially, I was going to make the users choose a security question (from a list of 5) and provide an answer. If they ever entered the Forgot Password page, they would then have to enter their login id, as well as the answer to their security question. This seems slightly insecure, as the answer to these types of questions (mother’s maiden name, birth town, etc.) are generally not that hard to acquire.
So here are some of my questions:
- Are security questions the best approach to this problem?
- If so, what are the best questions?
- How many questions should a user be required to enter the answers for?
- Is it necessary to put a CAPTCHA on the Forgot Password page?
- Is it better for users to generate their own questions?
Any help/comments/literature on this matter would be greatly appreciated.
Since you cannot use any other means of authentication (such as email address, OpenID, etc.) this is the best you can do really. However, you could always add a “password hint” to the signup process.
It’s much easier if you let the user write his/her own question as opposed to the stock “first car” or “first pet”. This is a good failsafe as it (usually) provides a very difficult question/answer combo to randomly guess and is likely as secret as a password.
Allow for one question/answer combo.
Well, there has to be some attempt to guard against brute-force attacks, especially from bots. I would use the same technology that SO uses: reCAPTCHA