However, occasionally, they get a new email address and lose access to their original one, and then also forget their password. At this point, they're now stuck. They can't perform a password reset because they don't have access to the original email address associated with the account.
What's the best practice for dealing with this situation?
I know some sites ask a series of "security questions" that allow you to authenticate without access to the email address, but are there any other options? I don't really want to store everyone's mother's maiden name or the name of the street they grew up on.
Is there a better way of dealing with this that doesn't leave users locked out because they forgot to update the email address in our system when they changed emails?
Say user bob has a friend alice in the same system. (Long before getting locked out) bob nominates user alice as trustee for his account.
Then bob gets locked out due to losing his e-mail address. Because he nominated at least one trustee, he now has the option of recovering through one of them.
Bob select alice and hits a button. Alice gets the validation e-mail. The e-mail tells alice something like this:
"User bob is having difficulty accessing the system, and is trying to validate his password with a new e-mail address which is bob123@example.com. Do you know bob, and can you vouch for this being a correct e-mail address for bob? You are receiving this e-mail because user bob has previously nominated and authorized you to assist in this way."
If alice takes affirmative action to vouch for bob, then bob receives the password recovery mail at the new bob123@example.com address and can complete the usual flow.
Assuming the rationale behind this is privacy, you could always choose questions that don't divuldge sensitive information while still allowing the user to identify themselves e.g. a user might not want to share their street name but presumably would not care about sharing the name of their first stuffed toy.
OSWAP has a good article on security questions: https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_...
Additional ways for password reset: alternative e-mail addresses, personal questions, SMS messages sent to phones, ...
The software has to have nagging built in to bug the user into setting those up. "Hey, would you like to add another e-mail address to this account? It could be used to reset your password if you lose the original one." "Hey, would you like to add you phone number? ..."
To prevent getting there in the first place, could you do the type of “is this info still alright?” as part of the login flow every now and then? May reduce some of the cases at least.
If this happens just too often, you may need to ask for another means of contact info. Additional email/phone, which should all be pinged whenever auth info changes.
So what I would do is multiple things:
1. when signing up suggest you will send them monthly notices. Probably you won't be allowed to by a lot of users but at least you tried.
2. the monthly notice has an image with unique id in it, if that image gets requested you know they have looked at mail and then they still have that address. if not you know to flash them a message next time they come in - have you changed email recently? If they have they are logged in currently so can go change email.
---2
User clicks forgot password
Please write email
writes email
We do not have a record of that email, have you lately changed email.
Yes I have.
We have a credit card on record with us, is the one we have on record still the one you use
yes
Pay 1 dollar (refundable or not depends on stuff) to unlock account. Make sure to use the credit card we have on record!
Check the credit card used is the same you have on record. See credit card validates. Obviously people can have stolen credit card, you know if your service or the people you serve would be likely to have this kind of thing happen to them.
----3
What kind of stuff does one do in your service, is it unique enough that one can ask name an X that you did recently and the user would be able to describe well enough that you could then find it, when finding it then present 6 example cases one of which is the one they described others generated to resemble it, and then they have to say which one they actually did. Question is if this part is automatable, many services would not be able to automate this kind of thing.