Example script in an ASP.NET application using SQL Server Membership Provider:
1) the user cannot remember his exact password, and many times in a short period of time he logs in with an invalid password (say, 5 times in a 10-minute window). This blocks the user (i.e., sets the IsLockedOut flag of the aspnet_Membership table to 1).
2) the user goes to the "forgot password" screen to try to get a new password by email. The PasswordRecovery control is used on this screen. The user enters their correct user ID, but then cannot go further in the process of password recovery, since the IsLockedOut flag is 1. (They donβt even see their security issue).
3) The user will then have to call technical support to get an unlock, etc.
To reduce the load on the support staff, we try to reduce the time required to complete step 3 by installing the PasswordRecovery control (if possible), working with blocked users. that is, when they enter their login ID, a security question arises, and if they enter the correct answer, the system will unlock the user and send them a new temporary password. I am wondering if the PasswordRecovery element can be configured for this. Or perhaps this approach has security issues?
source share