Account Recovery
- Seth Petry-Johnson
Allows a user to log into LearningBuilder if they forget their password and no longer have access to the email address on file. Released in 11.0.18.
Sys Admins can also view configuration instructions.
This feature applies to “Person” accounts only; Organization type accounts cannot recover their accounts this way.
Overview
LearningBuilder allows users who have forgotten their password to recover their account by confirming access to the email address on file. They can request an email containing a link that allows them to reset the password.
In many systems, however, Practitioners register in LearningBuilder using their work email address. Those users are unable to recover their accounts after switching jobs if they lose access to that email account.
The Account Recovery feature allows those users to regain access to their account by confirming personally identifying information (such as SSN and birthday) in lieu of a password.
Allowing users to bypass the password and email account verification process can potentially reduce site security. Account Recovery is disabled by default and should be implemented with care.
Details
The specific information needed to recover an account is configurable by a Sys Admin.
At least two of the following pieces of information must be required:
Data field | Notes |
|---|---|
Primary email address |
|
Social Security Number | See https://heuristicsolutions.atlassian.net/wiki/spaces/DOCS/pages/262569985 |
Driver’s License Number | |
Any extrinsic Short Text, Numeric, Date, or Pick List attribute on a | Common use case is Birth Date, but can also be used to confirm identity using other (presumably private) information tracked on the Member Role. |
User experience
When Account Recovery is enabled, the “Forgot Password” page will display an option to begin the recovery process.
The recovery page will prompt the user to input the required information, which again can vary between implementations.
Email and password change is required upon successful recovery
If the user input successfully identifies a single Member account then the user will be prompted to enter a new email address and password.
This is a required step of the recovery process, because use of the Account Recovery feature implies that the email address is no longer accessible, and we want the user to properly secure their recovered account.
After entering the new email address, an email is sent to that address containing an account recovery code, similar to the standard Reset Password flow.
Once the user enters the code they are prompted to enter a new password.
After the new password is validated the primary email account is updated and the user is successfully logged in.
Account Recovery is disabled after 3 failed attempts
To prevent brute-force account recovery attacks, three subsequent failed Account Recovery attempts will disable Account Recovery for that account.
Members in this status will not be able to use the Account Recovery feature. They can continue to log in normally (assuming they know their password) and can use the Reset Password feature if they have access to their primary email, this status only prevents the use of the Recovery feature.
In all other cases, they will need to contact support to have their password reset by an administrator.
Any successful password reset (regardless of who performs it) will re-enable Account Recovery for that account.
