Users navigate to the account-recovery page and are presented
with several options to prove control of their accounts (see
Figure 5-12).
The web page shows three different ways to regain control of an
account if the user does not have her card. First, she can show a
card she doeshave and begin the validation process via email
based on the email address claim in the card she presents. Or
she could simply type in the email address and begin the same
Figure 5-12 User experience for account recovery
293
process. Or she could use her username and password to authenticate
and just associate a new card.
To verify the user possesses control of the email account, the
website generates a secret, which is mailed to the user. The user
replays the secret back to the website, thereby demonstrating
control of the email account. When used with Information
Cards, it is critical that the Information Card be presented to the
website after the user validates the email address and that the
email address in the card match the email address to which the
secret was sent. This prevents unwary users from accidentally
clicking a link and validating an email address by mistake.
Putting CardSpace to Work
?– Perspective: Alternative Security Measures for
Authentication
A common trend with websites is to ask additional questions: for example,
???What is your mother??™s maiden name???? and ???What city were you born in????
These questions are often used for ???enhancing??? authentication, or worse, authentication
itself.
Pages:
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426