Password Recorevy Without email

I was wondering if anyone has ever used, built or seen a password recoervy tool that was completely online and didn't require sending some kind of password reset email.

I understand the security concerns and I am completely open to the idea that this is just not a secure way to handle things but I have been tasked by my employer to look into this type of solution. I feel like I have used something like this before.

Our main concern is email spam filters grabbing lost password ema开发者_运维技巧ils. If there were best practices on formatting these emails that would be a great thing to send over also.

Any thoughts?

THanks

Craig

Almost all security relies on varying combinations of the three things below

• Crypto-graphic proof
• shared secret
• trusted third party

and using them, for a given level of likelihood, to verify that the counter-party in the current transaction, is the same party with whom you had the original contract.

Really thats all "online identity" is - how likely is it that the person talking to me now is the person I was introduced to yesterday.

For example, a password is a shared secret, that both parties know and assume for a given level of likelihood that the other person with the secret is who they think they are.

Thats the easy one.

The security question (Mother's Maiden name) is just a second password in case you forget the first.

OpenID is a trusted third party approach. Stackoverflow trusts google. I try to login to stackoverflow and SO passes me over to google. All SO sees is google coming back saying "yes he is".

However, compared to email penetration, OpenID is hardly used, so its not going to work as recovery option.

The email password reset is an example of a direct shared secret involving a trusted third party - gmail is "trusted" by both parties, so one can send a shared secret to gmail, and trust that for a given level of likelihood, only the other party will be able to access that shared secret.

Finally cryptography can be used as a trusted third party. If I know your public key I can "trust" RSA and store the new password by encrypting it then putting it on my website. Only you can read it, so it could work as an instant, online password reset. But the penetration of PGP/GPG is so much worse than that of OpenID the idea is a non-starter (*)

What you need is a second channel of communication that you gather at the time of contract - usually it email, it could be openid, a mobile number or their GPG public key. But you must collect that channel at the time of making initial contract.

Talking of mobiles, I did see a neat one at my local cellphone shop - they texted me a random password, and then the sales assisstant entered in the password when it arrived at my phone - proving the phones owner was in the shop and compliant. (for a given level of likelihood).

(*) actually I think there is a solution - http://www.itmanagerscookbook.com/Attitude/identitycrisis.html. AS you can tell trying to express the concepts above is an ongoing effort.

The only safe alternative I'm aware of is offering a password reset page after a security question (mothers maiden name, but preferably something user configurable/safer).