Prevent Misuse of the Account Recovery Function

■■

In the most security-critical applications, such as online banking,

of-band: a user must make a telephone call and answer a series of secu-

rity questions, and new credentials or a reactivation code are also sent

out-of-band (via conventional mail) to the user’s registered home

address. The majority of applications do not want or need this level of

security, and so an automated recovery function may be appropriate.

■■

A well-designed password recovery mechanism needs to prevent

mize any disruption to legitimate users.