1

I've currently been asked to implement a 'forgotten username' functionality on a site I've inherited, and I'm curious what the best practice is for the process. I'm already following best practice for resetting the user's password (by sending an expiring, one use reset link) - but there doesn't seem to be any best practice policy for a forgotten username.

The options I've seen on other sites are:

  1. Input email address and send it - this is the most straightforward, but I'm uncomfortable about sending the username to the email address.

  2. Input email address and send a single use, expiring link which displays the username - but after it's expired or been used, it obviously won't work anymore.

  3. Similar to 2, but merge it with the change password process - if the user forgets their username, they get to see their username, but they have to reset their password too.

The user table doesn't have any other info set up within it (security question, date of birth, etc) - so I can't ask for any of this information without adding it retrospectively. But I'd appreciate any advice or views others have on how they have either implemented it, or how they think it should be implemented :).

4

3 回答 3

3

I'm not sure if this is really a case of best practise.

I imagine the username comes with an email address built into it? Most websites I've seen usually just ask you to input the email address that is linked to the account, and you'll receive an email containing your username.

It's the responsibility of the user to maintain their email address security. The Username is something that IS public information in most cases. I don't see why you need to focus so much secrecy on it.

What I like to do is..

Alternatively, if the user has forgotten their username, you can ask them to sign in with their email address instead. No emailing around necessary, and the user still needs to know the secret password.

于 2013-09-11T08:40:47.230 回答
1

I don't see any issue with option 1 as you will be sending the username to the registered email address, which only the registered user has access to. As you say, this is how other websites do it and it is tried and trusted by many.

I'd see option 2 and 3 as overkill, unless you have key business requirements to implement it this way.

于 2013-09-11T08:45:25.160 回答
0

All of the options proposed here are open to security issues. Sending the username to their email opens it up to attackers who could sniff the content of the email.

For a more secure approach you may to implement some multi-factor verification.

Example:

  1. On the form for discovering their username ensure their are multiple inputs (email and dob). The more you add the more secure it will be.

  2. If these inputs are correct then ask the user 2 or more security questions. Don't show the questions as drop downs, show them as text.

  3. Finally if the answers are correct then let allow them to login on a form with their username \ password.

** For even more security insert a step between 1 & 2 which emails a random token to the user which they must click to continue the flow.

I understand for most applications this may seem like overkill but if you are working on something which requires tight security then you must be careful with this sort of flow.

This article discusses Forgot Password but I think it's content is applicable:

https://fishnetsecurity.com/6labs/resource-library/white-paper/best-practices-secure-forgot-password-feature

于 2014-11-18T16:01:44.090 回答