Has anyone ever come across a decent password reset scheme, that does not rely on an email address being emailed a password or reset link, and does not rely on the rather simple 'Mother's maiden name' security questions either?
The reason behind this is that many of our users do not have their own email address (that they use for our services anyway), and it appears as though our current way of emailing the registered email address a link by which they can reset their password, when they forget their password, isn't working too well.
Has anyone got any ideas? I'm up for something totally unconventional, if it calls for it!
Ask three questions on signup and all three must be correct to allow any account modification.
Don't make it mother's maiden, birthday, pet's name, or allow them to create their own. People are lazy and create lazy questions that will invariably make it insecure. Get creative with it, maybe even use a database of several hundred questions of which three are randomly selected at signup time so not two members have the exact same questions.
Using 3 questions of their own choice would be better overall. Otherwise they may never get the answer. On a site for local residents we have some trick questions in the signup form like what do you see along the roadside on the way there, and most get that wrong.