E-commerce merchants offer numerous products and services through web-based network resources, where such products and services utilize, at least in part, one or more unique user accounts set up for individual users. Frequently, users forget their passwords. A problem experienced by most online providers concerns resetting passwords, or more generally resetting confidential credentials associated with user accounts. When users often forget a password, they request that the password be reset.
Today before resetting a password, some systems prompt the user for authentication information in an effort to ensure that the individual who is resetting the password is a valid owner or user of the account. For example, one common authentication method includes asking one or more pre-defined security questions (e.g., “Who was your first grade teacher” or “What is your favorite color”). Another common method is to ask dynamic challenge questions regarding an account (e.g., “What was the amount for your last transaction,” “How much did you pay in your last payment”). When correct answers are received, the authentication method sends an email message (or text message) to an email address or phone number registered with the account. The email/text message may include either a one-time password or a link to a password reset page.
However, the foregoing methods experience certain limitations. For example, methods that prompt a user for security questions or information regarding an account, assume that such information is private. Often this information is not private. Also, methods that send one-time passwords or links to an email address or phone number assume that the email address or phone number is secure, which is not always true.