| > For dormant account reactivation, they can ask the user for lots of details that are in the account. For example, "please type in email addresses of as many people as possible that you have sent emails to from this account". Oh. no. I'd rather they just up an deleted the account, instead. Google is already painful enough to get into old accounts that you haven't used for a while. For a dormant account, what's the chances that you're going to remember the email address that someone used years ago? People have address books for that, and the address book is locked on the other side of that password prompt. > During the 7 days, contact the users top contacted email addresses and ask them to reply confirming the user is trying to reactivate the account. Yeah, nah. That's awful for several reasons. It's another phishing-like prompt - "Hey joe bloggs is trying to log into their email. Do you think it's really them? Click here to let them into their account". If you invert it, then you're at risk of someone with a grudge against you clicking the "No, it's an attacker" link. Even a friend clicking it because they think it's funny. There's no way I'd want most of the people I email to have any involvement in accessing my account, without me being able to nominate specifically whom the system emailed. |