In the wake of the Yahoo fiasco where some loser without a life hacked Governor Palin's email accont, a forward thinking email service should take the lead in email security. The ability to create a custom question is a good start, but a better solution would be to allow users to add a verification phone number to their account.
The service will send an SMS message to the account phone number to confirm any password change. If the account holder replies to the text message with "YES" the service executes the change. If there is no reply within, say, 15 minutes, they cancel the change request and put a pleasant message on the screen telling the requester that he needs to have access to the account phone number to validate the change. This will account for users who forget where their phones are or whose phone's battery is dead. If the user replies "NO," then the service cancels the password change, starts a hacking investigation, and displays on the site an animated Grim Reaper laughing menacingly and proclaiming "Goctha you loser hacker!" (just kidding, but not really). As an added feature, the service could display the account phone number (or a masked version of it like "the phone number ending in 1234") on users's account home pages so they will remember to change it if they change their mobile phone number.
This feature would virtually guarantee that all password change requests are valid and would provide an instant mechanism for flagging fraudulent requests.
0 comments:
Post a Comment