Most sites have the ability to set up security questions. Name of first pet, mothers middle name etc.
Then if a users email changes, forgot password or Phone number is not set up/accessible they can still access the account.
Can also be used for security when account is flagged for multiple login.
Normal part of secure websites.. Would like to see it here.
We need this fleshed out a bit more. It's a good idea but we need more clarity. This is why we have posting guidelines.
Do we provide a few default questions?
Does admin set up all of the questions?
How many questions? Is that under admin control too?
Does it have to match case too or just the word itself?
Yes most site have 3-6 questions that can be used. They could be selected by SE for simplicity. I've included a list of security questions that could be selected from and SE picks some and codes it in. Perhaps in a future release you could let the admin or user write a security question, but that's just more buttons and coding really.
Optional turn on of this feature.
Match word is generally the practise.
User gets 3 attempts to answer questions correctly before temporary lock down of ability to answer questions. This is already partly implemented in the new login ability so shouldn't be overly difficult.
Usually i see this happens 3 times and then account is totally locked and requires admin validation or something.
But again... I'd really just be happy if there were 6 questions that SE picked, 1-3 is randomly shown, correctly answers and then an ability to change the password appears.
https://sites.google.com/site/pwordsecuritykate/home/list-of-ideas-security-questions
https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html
Good idea. Thank you! We also need to include translation ability.