SocialEngine / phpv4-feature-requests

The purpose of this repository is to collect SocialEngine PHP public feature requests.
https://www.socialengine.com
1 stars 0 forks source link

Forgot Email/Password Security Question #119

Open dreamgeekcoder opened 7 years ago

dreamgeekcoder commented 7 years ago

What is the feature?

If a user no longer has access to their email or password the users is asked a series of questions so they can get access to the account again. Currently, if a user no longer has access to an email they are unable to reset their password or regain access to their account.

Adding one or two security questions like "What is your first pets name?" "Where did you go to school?" etc on sign up would immediately solve this issue.

Of course the pages for "can't access account" would also need to be added in.

Screenshots (optional but suggested)

gsf00001 commented 7 years ago

Very useful idea - thanks for posting.

I would suggest that answers not be required though (i.e. option to skip). I prefer to not ask all Users to do something that only a handfull may possibly need.

dreamgeekcoder commented 7 years ago

This becomes an issue the older your site becomes. My site is approaching 10 years on SE... many users no longer have access to emails from 10 years ago. They email requesting access to the account with no way for me to verify if it is them. Skipping defeats the purpose of this option .. as you won't need it till you need it. Maybe turn off for the whole network.. or turn on would be better if you have a concern about more questions.

gsf00001 commented 7 years ago

Yes I see that it's sortof only useful if the data was entered and not skipped over.

For me though, I simply don't like the answers to all these common questions 'out there', especially on a non-highly-secure site (heck - I've been skipping the questions on Yahoo and gmail for years now - I simply don't trust them). I guess I also come from the perspective of expecting more responsibility from Users, even though there will always be those that don't think ahead. If I plan on changing an email address, I create the new one, update all related accounts and test to be sure they all point to the new one, then stop using the old one and eventually delete the old account.

I'm still of the mindset for a skip option because I don't want all Users to be bothered with extra input (of especially somewhat private) for the few irresponsible people out there. Yes, I realize there are times when an email provider suddently cuts off access or shuts down, but that's very rare (if using 'regular'/common email providers). And don't get me started on people using work emails for non-work related access :)

My mantra with SE is flexibility, flexibility, flexibility. Still like the idea though - but only if not required :)