quietseas wrote:
What is the best way for a consumer facing company with tens of millions of customers -- many of whom are not IT savvy -- to reset an account login that has been locked due to repeated failed login attempts?
Security questions are a form of 2-factor authentication. There are more robust 2FA protocols available. For robust password reset you need 3-factor authentication. Password plus 1 extra factor for login, both auxilliary factors for password reset. Examples:
1. Password + hardware token for login. Hardware token plus email code plus account identifying info for reset. (SMS code plus hardware token would be ok, but is vulnerable to one's phone and hardware token both being lost or stolen at the same time).
2. Password plus SMS code for login. SMS code plus one time use secondary password plus account identifying info for reset.
3. Password plus SMS code for login. SMS code plus email code plus account identifying info for reset.
The third one is weakened some if the email address is mapped to the phone where the SMS is received.
Suggesting that a weaker protocol is justified due to needing to administer millions of accounts doesn't fly when the application is a password safe. If there is not a robust authentication mechanism, then web access is not an acceptable architecture for a password safe.