I\'m migrating users from custom application-level authentication security (buil

Question

I'm migrating users from custom application-level authentication security (built into the app, using username as the unique identifier) to security as a service (using ThinkTecture's Identity Server and MembershipReboot).

A substantial number of existing users have non-unique or null email addresses. These will all be seeded from the existing app to MembershipReboot's database.

The forgotten password process (using a username field to generate and send an OTP via SMS) is being replaced with MembershipReboot's forgotten credential process using email addresses to generate a URL for users to reset their password.

For those users with a shared email address should I include a separate step to capture the username after capturing the users email address to generate a URL for the correct user? Or is there a reasonable alternative that doesn't require any proactive user change?

Explanation / Answer

For shared email addresses, I would generate a reset link only after the user has entered a valid username and email. The reset procedure would also require a new, unique email address that must be separately verified.

Presumably the users that share an email address already have some level of trust between them. If not then you would need to find an alternate piece of information that identifies each user.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.