(2016-02-28, 07:02 AM)Omar G. Wrote: [ -> ]I really don't see the point of a second e-mail address. The user should secure their emails accounts to be able to recover them instead.
I have so far never come across a site that requests this info to me IIRC.
google...the most popular site in the world does.
edited to note: it's not a requirement, but it does allow a user to specify a backup email address & phone number for account recovery.
(2016-02-27, 09:20 PM)andrewjs18 Wrote: [ -> ] (2016-02-26, 10:50 PM)Euan T Wrote: [ -> ]At the minute users register to your site with a single emails dress that is used for all password recovery and notifications. However, should the user lose access to this email, they will also be unable to reset their passwords. There are a lot of sites out there that allow suers to add an additional recovery email as well as their standard email which is only used for password recovery and not notifications. I think this would be a useful addition that is becoming more and more standard across the web. Added to 2FA everywhere, this gives users more control over their account and recovery options.
I like the idea. in addition to that, what about possibly adding a cell phone number to your account so the forum system can send you a text with some random X digit code before you can reset your password like some sites have...
(2016-02-27, 02:31 PM)Devilshakerz Wrote: [ -> ] (2016-02-27, 01:45 PM)Amaryllion Wrote: [ -> ]I would prefer a secret security question/answer over a second email address. Nowadays you have so many email addresses and some people change them over the time. I don't know if it is a benefit if you provide them two (or more) possibilities instead of one when registering. If they forget number one (because it is too old) they will forget number two as well.
Security questions usually provide very poor security; if you enter a personal e-mail address in addition to a work/school/website address you'll still be able to recover your account should the latter become unavailable (which is not uncommon).
agreed.
The problem with SMS would be that it would require an external service - of which there are several. Choosing to support a single service out of the box may cause problems for some users.
(2016-02-28, 07:02 AM)Omar G. Wrote: [ -> ]I really don't see the point of a second e-mail address. The user should secure their emails accounts to be able to recover them instead.
I have so far never come across a site that requests this info to me IIRC.
It wouldn't be required, but would be an option. Google does this, as do Microsoft, as do GitHub, as do Twitter, as do Facebook, as do most of the big internet sites.
(2016-02-28, 12:20 PM)Euan T Wrote: [ -> ] (2016-02-27, 09:20 PM)andrewjs18 Wrote: [ -> ] (2016-02-26, 10:50 PM)Euan T Wrote: [ -> ]At the minute users register to your site with a single emails dress that is used for all password recovery and notifications. However, should the user lose access to this email, they will also be unable to reset their passwords. There are a lot of sites out there that allow suers to add an additional recovery email as well as their standard email which is only used for password recovery and not notifications. I think this would be a useful addition that is becoming more and more standard across the web. Added to 2FA everywhere, this gives users more control over their account and recovery options.
I like the idea. in addition to that, what about possibly adding a cell phone number to your account so the forum system can send you a text with some random X digit code before you can reset your password like some sites have...
(2016-02-27, 02:31 PM)Devilshakerz Wrote: [ -> ] (2016-02-27, 01:45 PM)Amaryllion Wrote: [ -> ]I would prefer a secret security question/answer over a second email address. Nowadays you have so many email addresses and some people change them over the time. I don't know if it is a benefit if you provide them two (or more) possibilities instead of one when registering. If they forget number one (because it is too old) they will forget number two as well.
Security questions usually provide very poor security; if you enter a personal e-mail address in addition to a work/school/website address you'll still be able to recover your account should the latter become unavailable (which is not uncommon).
agreed.
The problem with SMS would be that it would require an external service - of which there are several. Choosing to support a single service out of the box may cause problems for some users.
(2016-02-28, 07:02 AM)Omar G. Wrote: [ -> ]I really don't see the point of a second e-mail address. The user should secure their emails accounts to be able to recover them instead.
I have so far never come across a site that requests this info to me IIRC.
It wouldn't be required, but would be an option. Google does this, as do Microsoft, as do GitHub, as do Twitter, as do Facebook, as do most of the big internet sites.
I guess if SMS were to be implemented, you'd probably have to go with whatever service has the most benefit for the mybb community. I wouldn't necessarily dismiss it because some users may not be able to properly use it though.
(2016-02-28, 07:02 AM)Omar G. Wrote: [ -> ]I really don't see the point of a second e-mail address. The user should secure their emails accounts to be able to recover them instead.
I have so far never come across a site that requests this info to me IIRC.
@Omar
Example with just 1 email
Let's say u delete ur Google account
U forget ur MyBB password (it has the same email u deleted)
Can't recover email
Ur olive
Let's see an example with 2 emails
Delete ur Google account
Forget password
Use ur secondary email
Suces
If you delete your google account and forget your second email address because you never use it - then what? Should MyBB provide a third mail address? A table of mail addresses, just in case?
Or do you just contact your board as a guest and tell the team you forgot your password and deleted your mail account as you would with just one email address?
I still think this is a dispensable core feature.
(2016-03-02, 10:57 AM)Amaryllion Wrote: [ -> ]Or do you just contact your board as a guest and tell the team you forgot your password and deleted your mail account as you would with just one email address?
At this point it's very hard to distinguish genuine requests from social engineering attacks; forum administrators should ignore any attempts like this unless they have other means of confirming identity safely (which often is not the case).
(2016-03-02, 01:31 PM)Devilshakerz Wrote: [ -> ] (2016-03-02, 10:57 AM)Amaryllion Wrote: [ -> ]Or do you just contact your board as a guest and tell the team you forgot your password and deleted your mail account as you would with just one email address?
At this point it's very hard to distinguish genuine requests from social engineering attacks; forum administrators should ignore any attempts like this unless they have other means of confirming identity safely (which often is not the case).
some sort of system to allow an admin to send out a random code via text or email to users that then allows them to reset a password would be nice.
the reset passwords functionality in mybb 1.8.* is buggy and it becomes quite the challenge if a user happens to be one of those unfortunate individuals that never gets the password reset email. just two days ago I had to manually reset a password for a user because he wasn't getting any password reset emails from the forum.
(2016-03-03, 08:32 AM)andrewjs18 Wrote: [ -> ]some sort of system to allow an admin to send out a random code via text or email to users that then allows them to reset a password would be nice.
the reset passwords functionality in mybb 1.8.* is buggy and it becomes quite the challenge if a user happens to be one of those unfortunate individuals that never gets the password reset email. just two days ago I had to manually reset a password for a user because he wasn't getting any password reset emails from the forum.
This is exactly what I think would be quite useful!
I like this idea, and maybe it could be implemented even further to allow for various apps to have to be sent an auth code before the user logs in (or if they forget their password, etc.). A secondary email would be extremely nice as a start, but I feel like this could be expanded even more into more current software and technology that makes sure the person is truly the person that is logging into the account.
Plus if the admin has instant approval on, it defeats the whole purpose of this while other methods could still be intact if they pick this option for new registrations.
Facebook, google, twitter have this, so its not a bad idea for sure.