Questions such as
???When did you last sign-in???? ???How long have you been a member???? and
???Approximately how many transactions have you done this month???? are more
likely to provide assurance that users are actually who they say they are, but
such ???authentication??? should use enough questions to be thorough.
In the end, proving control of an email address doesn??™t absolutely guarantee
identity either; you can think of it as a form of primitive federation. (After all, the
RP is essentially relying on the email service provider to properly authenticate
the user.) It is wise to consider all avenues of attack when utilizing an alternative
authentication mechanism.
Messages are used
to prompt the user
to action
295
If users sign in using a username and password, and have at
least one Information Card associated with their account, they
should receive a different style of warning. This could be perfectly
innocent??”users might not be at a computer where they
have their Information Cards stored, or it could be because they
have lost control of their cards, and need to revoke the capability
to sign in with them (see Figure 5-14).
When users log in and receive this warning, they have the opportunity
to visit the account maintenance page, which will
allow them to remove the old card association and optionally
add a new one.
Pages:
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429