I am working on an auth system that I intend to use throughout several websites I am working on, they will all use the same userbase.
I am curious what your thoughts as a user on the following things:
- Forgotten Password Security Question
- Activation Email
As a user they both make me semi-annoyed having to do more work just to get the content and discourages me from using the website. However from a developer standpoint I like them better for security features. What are you thoughts on them and should I implement them into my system?
The general answer is alot of this depends on what you are securing in your app and how tight you want things to be. Other general piece of advice is that 2011 is a bit late to roll your own authentication scheme -- lots of better options are out there.
There are a few ways of handling password resets, one model uses the "separate security question" as a secondary way to identify people so you can perform a password reset online. There are other models, but the advantage to this one is you have got a good idea that this person isn't the guy who hijacked my email account and is now resetting my passwords to get access to stuff.
Activation emails are more of an anti spam and anti impersonation thing -- you are verifying that this person has access to this email account and can click on a link. Kind of prevents people from either hijacking someone's email address and also puts a damper on some forms of automated sign-ups.