Cyrille37 wrote
Hi & thanks @SFITCS
I understand, but not really agree with your arguments:
- websites I done and/or manage permit to recover access with email and we never had problem.
- Government, institution, e-commerce websites permit to recover access with email, like a lot of websites.
How ever, I think recovering access with email! it's not a security concern, but a functionality concern. User and Admin has to make the choice, ans developper just give the functionnality ;-)
Best regards, Cheers
Cyrille.
I agree - it's a functionality you (administrator)
should control. For the reasons I stated I understand why every CMS I've worked with doesn't include that functionality as a default (but it's still possible, just
unsupported - simply look at the code, you need to change 2 lines in DokuWiki).
I gently disagree that it's not a security concern. :)
:) YMMV. As may your definition of "by email".
Yes - we reset
passwords by email.
No -
we don't reset
usernames by email
without deleting the original username access (in which case "you" would need to present to management first). Perhaps you refer to a part of Europe that doesn't use LDAP or Active Directory(?) for "Government and institution" websites (I'm not a lawyer, nor have I worked in every part of "Europe"). In many cases there are Rainbow keys or other methods of dual authentication that would also need to be reset.
Note that I have little experience with small websites or local government - and I recognise that your clients may not care about my experience.
I've worked in the UK and the USA (and other places)... in my limited experience (government and private enterprise) it's the same as here in Australia. BP is we (administrators) will
not reissue
usernames if someone loses it (call your boss or the Help desk and we'll remind you of your username - and restore the emails you deleted in your email account on
our email server). Generally we use central authentication so it's
not possible (single login). i.e. if we reset the username for DokuWiki we'd be locking them out of every other network resource their profile allows.
tl/dr? Like it or not, the reasons I have stated are the same ones that mean you are unlikely to find a solution to your problem. Ditto for Concrete, CMS Made Simple, WordPress, Contao, Dolibar, Drupal, Magento, Moodle, ModX, PrestaShop, MoveableType, SilverStripe, Typo3 and many other "common" web applications (unless things have changed since we last supported them).
We'll reset passwords by sending them to the registered email account - but only if the user knows the username. Which is generally part of their profile (for
every government department client my employers have worked with - that's generally mandated by law in the EU and the USA.
Hint: ITIL). :)