what is the most secure method to allow a user to reset password

Question

What is the most secure method to allow a website user to reset their password? I know you can send a unique url to their email but are there any other techniques people use? Let's assume the user does NOT recall their current password.

Answer 1

For example

1. Send some code to sms (something you have - phone)
2. Let related person confirm your identity (social networks, web of trust) /something you are/
3. Send code by snail mail /something you are/
4. Live operator call (something you know)

But some of them are vulnerable to social engineering attacks. Most secure is when YOU KNOW something AND YOU HAVE something and YOU ARE something. But it is hard to achieve.

Answer 2

The recommended way is to send a url with limited time hash, which is active for 15 - 30 mins, and revoked when the password is changed.

If the information is really secure then you'd probably want to look at how banks handle password resetting, which normally involves a phone call and a telephone banking password!

Answer 3

There is always security question which is being asked while the registration process. You can use that for resetting the password. You can also read this older post for the same.