simple authentication scheme

I have an online registry of professionals with about 300 members. These are smart people, but non technical. Currently, if somebody forgets their email address, the system resends it to the email address they registered with.

The problem is that people change their email addresses over time, then forget their password, and can't receive the reminder.

I need to come up with a simple authentication system that allows people to recover their passwords even if they have changed email address.

I'm struggling to come up with anything that is even moderately secur开发者_运维技巧e that doesn't require the users email address.

Can anyone suggest anything?

Keep their mobile numbers for SMSing-- those might change less often or at least not in tandem with email addresses.

Also consider handling this case via manual support if the user base is only 300; but if you do so, don't forget to be diligent in whatever your manual verification method is. :)

The most common practice would be to introduce additional questions with registered answers, that would allow a user to reset their email address and password. (Though only one at a time and the second only after verification of the first).

For instance

In What City did you grow up? Where did you go to College.

Usually you would have a stack of questions, and let the user select 3 questions and you registered their answers. The key being not to ask the same 3 questions of everyone.