Also known as: failed sign in, account recovery, forgotten password
How to help users who have forgotten their sign-in details or whose account has been locked.
Services that use this pattern:
The text was updated successfully, but these errors were encountered:
Dropbox Paper audit
On 18th March 2019 the Design System team reviewed a Dropbox Paper document discussing the Failed sign in and account recovery pattern.
The aim was to reduce the number of places containing guidance and code by:
Below is a record of the outcomes of that review.
If you need to, you can see the original Dropbox Paper content in the internet archive.
Combine the document history discussion on Dropbox Paper with this issue and remove the original Dropbox Paper page.
Failed sign in and account recovery
How it works
Avoid using security questions
Services should avoid using security questions. They are often guessable or else easily forgotten by users.
Use a reset link in an email or SMS
Consider interaction with two-factor authentication here (e.g. reset via SMS when SMS is in use as the second factor is bad, it defeats the point of requiring two factors).
Research on this pattern
Report on guidance from CESG https://beta.cesg.gov.uk/guidance/password-guidance-simplifying-your-approach
From the report: "If using lockout, we recommend you allow around 10 login attempts before the account is frozen. This gives a good balance between security and usability (‘Ten strikes and you’re out: increasing the number of login attempts can improve password usability’, Brostoff and Sasse, CHI Workshop 2003)."
NCSC blog on security questions: Are security questions leaving a gap in your security?
We're going to replace account lockout with throttling in response to multiple login attempts. This is influenced by NCSC guidance at the blog mentioned above and ("throttling is preferred"