Do-It-Yourself Account Recovery

UzaakUzaak Registered Users, Member 4 Posts
Hello everyone.

TL;DR: This post has a couple of possibilities for an automated account recovery, including sketches of sequence diagrams. It might help hasten the recovery of lost accounts.



The Problem:
When a person loses access to their account, they have to go through an long process of sending a ticket with a lot of information and waiting for about two weeks to return to the game. That player will lose events, won't be able to help their club, and in some cases might even lose interest in the game.

The Solution:
Players already have the ability to link an e-mail address to their accounts, for the purpose of "providing personalized news and promotions". Given that the player has access to that e-mail address, it should be possible to retrieve their lost account through a mechanism similar to that of the account linking to secondary devices.

Here are some ideas. While I don't know how the backend servers are structured, I took the liberty of considering that it has one service responsible for device linking and simply called it "Backend".


Current Account Linking Architecture:



Two things to point out here, in which I will base myself for the ideas given afterwards:

- Device A says it allows Device B to use it's account. This first code generation proves that the user owns the account, therefore having permission to also use it on Device B;

- After Device B inputs the first code, a second one is generated. This likely happens to prevent an ill-intentioned person to brute force their way inside an account by randomly trying various codes until something finally works;


Idea 1: Simple E-mail Account Recovery



It essentially functions the same as the Device Linking, with pros and cons compared to other solutions.
- Originally, the Backend knew the account to recover was the one used by Device A. Here, the Backend needs to find what account to recover, based on the provided e-mail address.
- It could also ask for the user's Account ID to increase security and reduce the trouble of two accounts using the same e-mail address.

PROS:
- One-step, self-service solution;

CONS:
- Unsafe. Needs the servers to get ready to receive some attacks, since someone could attempt to brute-force their way into an account.


Idea 2: Two-Steps E-mail Account Recovery



This solution looks a lot like the first one, except that it uses two codes. It is also much more similar to account linking and could use the existing logic, with what looks like minor changes (finding the account by e-mail instead of using Device A's request).

PROS:
- Safer than Idea 1;
- Probably the faster one to implement

CONS:
- Asking users to check their e-mail twice is not the optimal experience. (Sure, it's much less painful than being locked out of your account for two weeks, sooo...)


Idea 3: Self-Service Account Recovery using a Web Page



Based on Idea 2, this one uses an Account Recovery Web Page to avoid the need of a second e-mail. Notice that the device is re-sending the e-mail address information when confirming the code so to avoid brute force attempts to hack an account.

PROS:
- No checking your e-mail twice;

CONS:
- Need to develop the webpage.



Thank you for taking your time to read it all. I know some things can be more complex than they look, but I still hope some of this can be used.

- Uzaak
Sign In or Register to comment.