Secure way to do password retrieval/resetting?

Question

Before I begin, my reason for not using OAuth is I believe it is not really something we should be using on this project, we're targeting a platform that will be packaged and resold to companies, which connect to their own set of uses that we really don't want to have accounts that we are not %100 in control of, we don't want it to be a shared-login with other services, and we don't want to force people into getting a google/yahoo/openID/aol/facebook/blogger/wordpress/whatever account.

Now then, What I would like is the best way to let users re-set a password.

I hate the concept of secret-questions: What school did you goto? Well, lets check your facebook page. What was your first-grade teacher? Lets just ask them casually.

I hate using one-time-passwords via email: Since when is email secure? Your boss reads it. Your sending out spam emails to me every day. It went into your junk-bin. It's not sent encrypted.

I don't want to use a password to reset a password either. This just doesn't make sense.

I'm really out of ideas here for the best way to do this, so I figure I would ask the community.

Answer 1

Your problem is that you need to outsource trust. If the user forgets their password, you no longer have a direct way to trust them, so you have to use an outside source to reestablish your relationship.

If you think email is insecure (which it is, actually), you could try telephone. Give them a call with the temporary password. Or a fax. Or snail mail, or an SMS, etc.

This is as secure as the phone lines/postal carriers over which the reset travels, and in most areas, telephone intercepts or tampering with the mail is strictly punished by the law.

If that's no good, consider issuing users an OTP token, or smartcard, or something.

Answer 2

Barring being able to vet the person in person, I think you've listed all the reasonable options I've seen. In my opinion the one-time-password via email is the superior option as people tend to at least want to keep their email private. I personally hate secret questions - too big of a chance of the answers being public (see Sarah Palin email incident). If you are going to do secret questions, at least let the user choose their own questions.