Add a 'forgot username' screen to the hosted login pages

mooreds commented 1 year ago

Add a 'forgot username' screen to the hosted login pages

Problem

As of 1.45, FusionAuth has the ability to let a user reset their password, but no way to let them find their username or email address if they've forgotten it.

Solution

Add a hosted login page which does this.

It should have:

a user facing page where they can enter information to get their username. this could be built using the form builder
when the page is submitted, the values of the form should be checked against the values in user.data (or another new JSON field, user.validation or something)
an optional MFA step could be required, so they'd have to validate with MFA before they could get the username
finally, the username would be displayed

Alternatives/workarounds

Folks can write and host their own pages with the flow they need.

Additional context

This came up on a customer kickoff call.

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

mangeshparanjape commented 1 year ago

Looking forward to this functionality

bbarman4u commented 3 months ago

@mooreds we would love this feature also if available natively.

bbarman4u commented 2 months ago

Some AI based suggestions on what a Secure Forgot Username functionality might need or should have:

Limit Information Disclosure: Don't reveal the full username: Instead of displaying the entire username, consider showing only a portion of it (e.g., the first few characters or a masked version). Avoid direct confirmation: Refrain from directly confirming whether a username exists or not. Instead, provide a generic message like "If the provided information matches our records, we'll send instructions to the associated email address."
Implement Rate Limiting and Account Lockouts: Rate limiting: Restrict the number of username recovery attempts allowed within a specific time frame to prevent brute-force attacks. Account lockouts: Temporarily lock the account after a certain number of failed attempts to deter malicious activity.
Use Strong Verification Methods: Multi-factor authentication (MFA): If possible, implement MFA to add an extra layer of security before revealing any username information. Email or phone verification: Send a verification code to the user's registered email address or phone number before proceeding with the username recovery process.

FusionAuth / fusionauth-issues