When a server receives an account operating request from a current user for an operation such as looking up an account password, modifying an account password, revising an account-linked mobile phone number, or revising an account login name, the server typically presents a security question to the current user. The security question is preset by the user associated with the account. If the current user answers the security question correctly, the server determines that the current user is a user associated with the account and permits the current user to perform the aforementioned operation relating to the account.
A limitation of the above approach is that it is very easy for information-stealing tools (e.g., malware installed on the user's device) to obtain answers to security questions from user devices. Thus, the above approach for determining user identity is relatively insecure and results in reduced account security.