[davnicwil]

The article mentions the tradeoff of username Vs email of increased willingness for people to sign up Vs losing the simple channel for password reset, but does not propose a solution outside of non-expiring cookies, which to me isn't really a satisfactory solution (though perhaps it works OK enough in practice for some types of use cases).

In my view, for most applications, the upside is not really worth that downside. It got me thinking though, are there any clever solutions to do password reset without an email / social media account login / etc? Does anyone know of any good ones?

[londons_explore]

The Reddit model of "email address is optional, but if you don't provide it you can't ever reset your password" works well.

[ipnon]

Old Reddit is the epitome of user friendly web design.

[c22]

I ran a small system for awhile where you could designate three other users to act as backup. If you needed to reset your password each of the three backups would receive a unique token and a request that they forward it to you out of band. With all three tokens you could reset your password. This was optional, though, and in addition to a classic email based reset flow. Obviously a solution like this would only really be feasible for a few niche applications.

[dane-pgp]

Could you set a minimum amount of time since last login / visit before recovery was possible? If you are visiting the site every day, and your three "friends" decide to collude to reset your password, the site should refuse to issue the tokens since you are still able to access it.

This gets a little more tricky if you have an unexpired session but want to be able to change your password (which likely requires knowing the existing password), but a request from this logged in session to reset your password should be trustable (unless your "friends" have also stolen your unlocked device).

Similarly, if one or more of your "friends" requests a token / password reset of your acccount, the site should highlight that in a banner on every page you visit, to potentially give you warning to find better friends. (The process for replacing a friend on the site should probably require re-entering your password too, to stop someone that's hijacked your session from picking three sock puppet accounts as your new friends, and resetting your password that way).

[c22]

The community as a whole was pretty tight-knit so we didn't go that far down the security rabbit-hole. The initial proposal, though, only required a single backup and we did increase it to 3 to add a little more defense ;)

Presumably if only one "friend" defects and attempts to reset your account you will be notified by the other two friends sending you unrequested reset tokens out of the blue

3 is kinda an arbitrary number, chosen to strike a balance between security and convenience. It was decided that getting 3 people to collude to erode the trust of the community was harder than intercepting an email so the solution was accepted as adding some additional amount of security.

Honestly a bigger flaw in this scheme is if one or more of your friends is no longer active or has forgotten their own password and cyclically is relying on you for backup. You can hedge against this a bit by adding more backups and requiring only some critical mass of tokens, but this does also increase the attack surface.

[withinboredom]

Use a security key like yubikey to verify it’s the same person. I dunno if the default yubikey requires a pin AND touch, but mine does... even if you steal it, you don’t know the pin. These days you can also use Apple touch and windows hello in webauthn. So, there’s that.

Another possibility is requiring a payment with a payment method they’ve used before and then credit their account with the amount. Forcing 3D secure on that transaction should cut down on fraudulent take overs; or at least shift the liability from you, somewhat.

If you have an app, you can also allow them to authorize the password reset from the app on a computer (or vice versa).

Lastly, you could just not have a password to forget. :)

[milesvp]

Seems like a hard problem. You could keep track of IP addresses that the user plays from, and allow resets from that IP. You'd only want to do this for very low risk types of accounts. Sadly, game sites tend to be high target for account takeovers, so this may be a very bad idea. Adding some other fingerprinting would help.

In fact, the more I think about it, there's a paper I saw that can identify users solely by their mouse movements. If you maintained that kind of fingerprinting in game, you could simply ask the user to play a few rounds then offer to reset if they're from a typical IP address. Might work well for this particular website.

[tapneal]

It would be awesome if there was a face unlock technology that can be integrated with sites for laptops. It would of course create privacy concerns.

[megous]

Allow to upload a PGP public key, and reset request page would just return an encrypted PGP message containing a link to reset the password.

Assumes: - people are less likely to lose their PGP key, than random password to a random website. - people have PGP keys - PGP key doesn't contain email address (it does).

Anyway, it would be reliable, and it doesn't need giving third party online service access to all your online accounts.

[petercooper]

Phone number, I guess. Sending SMS messages en masse is expensive or heavily regulated in much of the world and it doesn't particularly suit frequent "spamming" so people of a younger generation may be more willing to hand it over(?)

[chrisco255]

That hasn't been true lately. Lately I'm getting spammed at least a dozen times a day by SMS.

[c22]

Yeah, I have a number that I "hand over" and another number I don't. The public number is inundated with spam SMS to the point that I don't even bother checking them anymore. And this is with pretty conservative behavior: even though I have a dedicated number for this purpose I still avoid entering it unless I absolutely have to.

[tapneal]

Agree. It will depend on site, but we often don't challenge if email collection is worthwhile. One idea we had is to ask for an email afterward as an optional password discovery option if the user wants it. That way they are in control.

[GoblinSlayer]

Give a password reset code and ask the user to write it down on paper.

[megous]

People likely to lose a password, would likely lose this paper code too. People using password manager would not lose the password in the first place.

[GoblinSlayer]

Nothing is perfect, email isn't that reliable channel either, e.g. Google locks accounts regularly at random.