Online identity and password management has concerned online users and online companies since the advent of the Internet. Users often find it difficult to remember and keep track of different credentials or logins (e.g., usernames and/or passwords) for their various online accounts and may either forget this login information or provide incorrect login information. As a result, many users use the same password for many different websites or have to reset their login information. This has led to an increase in unauthorized users and/or entities attempting to access user accounts by attempting to reset user login information.
For example, the use of passwords and existing account reset techniques has been abused by malicious entities seeking to gain unauthorized access to users' accounts in order to perform various malicious tasks. For example, the malicious entities may exploit an online service provider's willingness to reset an account or password in order to gain access to a user's account for the purpose of obtaining contact lists, active e-mail addresses, personal information, etc. Alternatively or additionally, malicious entities may exploit an online service provider's willingness to reset an account or password in order to obtain access to the user's e-mail account in order to send e-mails, such as SPAM, phishing scams or requests, or other types of fraudulent, abusive, and/or burdensome messages.
One attempt to mitigate the disadvantages of traditional passwords involves the use of so-called “two-step verification,” which leverages the use of some physical key carried by a user. For example, many known methods involve the use of a pocket-sized authentication token which is carried by the user and displays a changing passcode on an LCD or e-ink display, which must be typed in at an authentication screen. The number is typically derived from a shared secret by a cryptographic process that makes it infeasible to work out the secret from the sequence of numbers, e.g., using a hash or other cryptography combined with a challenge. The same process repeated on the authentication server will yield the same result if the correct secret was used. Another technique for two-step authentication involves receiving a username and password from a user, and then sending, e.g., by SMS, a unique code to the user through a linked device, such as a mobile phone. The user receives the unique code at the mobile phone, and types it into the website to prove that the user has possession of the device, and is therefore likely the user associated with the previously input credentials.
Unfortunately, many people have not yet implemented two-step verification or other password improvements to their online accounts. This is especially true of people who opened online accounts a relatively long time ago, such as 5-10 years ago, or before certain other password or user verification techniques were implemented. To thwart this vulnerability, many online websites have increased the requirements associated with resetting accounts or passwords, by requiring all users attempting to reset login information to either submit substantial additional user data or call the online company and speak to a representative to attempt to prove their identity to gain access to their online account. However, these methods make it more difficult for even legitimate users to reset and access their accounts and it does not differentiate between users of different levels of trustworthiness. For many people, an online company would have to resort to the undesirable options of either allowing each user to reset a password with minimal verification that they are whom they say they are, or have to prevent the user from resetting a password, and instead insist on the undesirable workaround that the user abandon that account and open a new account.
Accordingly, a need exists for systems and methods for managing the resetting of online identities or accounts of users of Internet web pages, based on data intrinsic to the users' interaction with Internet web pages.