Lack of interest Ability to recover account/password without email

This suggestion has been closed automatically because it did not receive enough votes over an extended period of time. If you wish to see this, please search for an open suggestion and, if you don't find any, post a new one.
Biker

Biker

Well-known member
There are times when a forum member is gone for a long time, and during this absence may change email providers. This makes recovering their account without Admin assistance virtually impossible if they've forgotten their password.

It would be a nice feature to allow users to be able to recover their accounts directly from the site without having to worry about the password change request going to their old email address that they no longer have access to.
 
Upvote 1
This suggestion has been closed. Votes are no longer accepted.
Do you have any suggestions of what could be used to identify the person as the account owner other than the email address or password?
 
I've seen some sites use a series of secret questions that can be answered by the individual. The answers are provided by the user when they sign up for their initial account.
 
I think you could do this with custom fields if you want (required, editable only once, not displayed publicly), albeit manually.

A lot of high profile account compromises happen because of weak security questions and answers that allow this sort of account resets so I'm hesitant to use it.
 
I agree with Mike: Forcing users to create secret questions adds a lot more complexity (and thought requirements) at registration for potentially a large security threat. It'd be nice to have a non-email based password reset function, but I don't think secret questions are the way to go. Sorry. :)
 
Teapot said:
I agree with Mike: Forcing users to create secret questions adds a lot more complexity (and thought requirements) at registration for potentially a large security threat. It'd be nice to have a non-email based password reset function, but I don't think secret questions are the way to go. Sorry. :)
Click to expand...

Doesn't have to be secret questions. But an alternative means of being able to recover your account without relying on email would be a nice feature. Especially since the software doesn't currently have a way of merging accounts. Users create a second account, post on it, and now they have two accounts with posts
 
Biker said:
Doesn't have to be secret questions. But an alternative means of being able to recover your account without relying on email would be a nice feature. Especially since the software doesn't currently have a way of merging accounts. Users create a second account, post on it, and now they have two accounts with posts
Click to expand...
How about the ability to put in an optional second recovery email account. I know I keep several hotmail accounts that I use just for emergency password recovery.

Scratch that as I see it has been mentioned - and I second the idea of a secondary recovery email account.
 
Many of my "older" members have enough issues with one email account. Trying to maintain two isn't something I'd be comfortable in suggesting. The entire purpose of the suggestion is to get away from relying on email to reset a password.
 
Biker said:
I've seen some sites use a series of secret questions that can be answered by the individual. The answers are provided by the user when they sign up for their initial account.
Click to expand...
What if they did forget the answers to the questions as well?
 
Biker said:
Many of my "older" members have enough issues with one email account. Trying to maintain two isn't something I'd be comfortable in suggesting. The entire purpose of the suggestion is to get away from relying on email to reset a password.
Click to expand...
Hehehe.. Older... hehehehe. I'm almost 50, so I meet that classification. ;)
That's why it would be an option. Security questions are not the best way to handle it as it is an inherent weakness there. If they have an Android phone, then they will usually already have a second email account (if they are using their ISP provider as their primary emails - or their employer).
 
Biker's right, some of a communities older or "gone away for a long time" members do forget passwords then find their email is long out of date. We just deal with these manually (either spotting duplicate accounts and offering to merge them, though we can't actually merge at present since moving from vB to XF I should say!) or manually updating an email if the member contacts us, so they can reset their own password.

We also pro-actively try to reduce these cases by acting on bounced emails immediately by putting that account in confirmation required status, so as soon as a member's email is out of date and we know about it, we force them to update.

Not sure what the solution is. SMS texts would be one idea, but then if someone goes away for a few years their phone might be out of date too (and resets would cost money per text here in the UK). Additional emails could also go out of date. I struggle to remember secret questions and answers - since I try and avoid mother's maiden name type things.
 
Do not trust Security questions. They are all sucks and easy to defeat (because they are all common questions that could be guessable) and trust me, your members would forget them before they forget the password.
 
Anyone come up with a good solution to this?

Would it be a security issue to have a secret question on registration we could manually ask them if they contacted us and said they forgot their password? It would be no different than entering the password itself, so I can't see how it'd be less secure.
 
@Brogan I'd like to suggest the following, but I am not sure if I should open a new suggestion or if my suggestion will be considered as part of in the current suggestion if I post it here? My suggestion is related but is much wider than the suggestion in this thread.

Account access Fall back with social networks
Just like gmail and other services ask their member to add a second contact address, XenForo should ask members to connect their account to social media accounts in case they loose their password & email. XenForo now supports facebook, google and twitter login, so this should be a small step.

Over time communities loose a very large number of members due to lack of access and lack of contact. Once members no longer have access to their accounts and no longer are able to receive community email, they are lost members. On my site this means many tens of thousands of accounts. Its a great loss. It would be such a valuable function if we would be able to give those lost members access to their account or even be able send them a short message with access instructions.
 

Similar threads

wonderwall
Help needed to recover account please
Replies
2
Views
532
wonderwall
wonderwall
Back
Top Bottom