Member Accounts and Security Question

Lämmchen

The Lämminator
Administrator
Feb 10, 2019
3,591
1,199
173
www.christianityhaven.com
FP$
14,101
How do you go about verifying that a member is truly who he says he is if he gets locked out of his account. What is your procedure?

I have a member on a site now (not here at FP) who is giving all the accurate information but it's also everything that can be Googled if someone takes the time. His speech pattern doesn't reflect his past posts so of course I'm suspicious.
 

meetdilip

Marketing Team Member
Marketing Team
Feb 17, 2019
740
289
73
FP$
2,907
Ask them to start a new account. Once you are convinced, merge the user names.
 

Lämmchen

The Lämminator
Administrator
Feb 10, 2019
3,591
1,199
173
www.christianityhaven.com
FP$
14,101

Lämmchen

The Lämminator
Administrator
Feb 10, 2019
3,591
1,199
173
www.christianityhaven.com
FP$
14,101
I check the IPs address to see if it's the same or not.

Here's a scenario...

The member logged into his account and logged out. Then the next day says he can't get into his account and created a new one. The IP matched those two logins from both accounts but the ISP is different than what the member normally used and the member can't remember the password to log in and can't get into his email address. Now what do you do?
 

Empire

VIP Team Member
Jul 16, 2015
25,712
3,093
683
27
United Kingdom
www.baysidegamers.com
FP$
338,303
Cookie Badge
  1. Check IPs country and location - Same IP you say but country???
  2. Check what emails he used
  3. Check where they log in from and when
  4. At times you can check Emails if it's listed for spam or what
  5. Add restrictions to the account until resolved.
Then just carefully keep on eyes to see what's his posts is like and whatnot. I mean so much you can do but after that it's just making that right choice and options.
 
  • Like
Reactions: Carlos X

meetdilip

Marketing Team Member
Marketing Team
Feb 17, 2019
740
289
73
FP$
2,907
What does it take to convince you that's the new user if they can't get into their email account that they signed up with?

It is a safety precaution. Everything can be faked and hacked. Give the new account some time. If the person behaves oddly, other members and staff will also know and will stand behind you.
 

Carlos X

Addicted
Feb 28, 2013
770
243
78
California
www.carlosx360.com
FP$
2,354
  1. Check IPs country and location - Same IP you say but country???
  2. Check what emails he used
  3. Check where they log in from and when
  4. At times you can check Emails if it's listed for spam or what
  5. Add restrictions to the account until resolved.
Then just carefully keep on eyes to see what's his posts is like and whatnot. I mean so much you can do but after that it's just making that right choice and options.
On xenForo, this is made MUCH easier. Check their account, and click on their IP address, those IP links typically take you to the "whatismyipaddress" website with the IP address in question.

And in saying that, I co-sign what @Empire says up there. :)
Here's a scenario...

The member logged into his account and logged out. Then the next day says he can't get into his account and created a new one. The IP matched those two logins from both accounts but the ISP is different than what the member normally used and the member can't remember the password to log in and can't get into his email address. Now what do you do?
Oh, then, check the changelog of said account. That is how you can see what's what.
 

Terminated

Hasta La Vista, Baby
Mar 10, 2021
500
125
43
34
FP$
1,500
An administrator told me that IP addresses don't lie. There's even a plug in that'll show the accounts that used the same IP address. Why is that not enough?

Lets say that you have a member you banned. You banned their account, not their IP address. Not long after, a new member registers on the forum with the same exact IP address. Obviously you're going to ban them AGAIN unless they register using a proxy or vpn service. But if someone gets locked out of their account using the same IP address. Why can't you just give them their account back?

That doesn't make sense to me. Because to me, that's obviously the same person. And if they're asking for their account back, why not?

What is there to gain from someone who isn't them taking that account on a small community?
 
Last edited:

Cumulus

Marketing Team Leader 📊
Marketing Team
Oct 8, 2020
856
362
63
UK
FP$
3,380
Thank You Badge
An administrator told me that IP addresses don't lie. There's even a plug in that'll show the accounts that used the same IP address. Why is that not enough?

Lets say that you have a member you banned. You banned their account, not their IP address. Not long after, a new member registers on the forum with the same exact IP address. Obviously you're going to ban them AGAIN unless they register using a proxy or vpn service. But if someone gets locked out of their account using the same IP address. Why can't you just give them their account back?

That doesn't make sense to me. Because to me, that's obviously the same person. And if they're asking for their account back, why not?

What is there to gain from someone who isn't them taking that account on a small community?
Yeah I agree with @Terminated. Generally I'd look at the following measures:
  • IP address - if they match, I am usually quite confident it's the same user
  • Email Address - if they can both confirm that the email on the original account is theirs and recite a verification code emailed
  • Geolocation & ISP - if they don't have the same IP (say they're on a dynamic IP provider) then I'll check extra details like this to look for consistency
  • Third Party Platforms - if they've linked via Google or Discord, I will often check if they can confirm it's them via those platforms (a Gmail or Discord DM)

With staff accounts (especially those with more powers), I'd look to authenticate via several of the aforementioned methods.
 

Terminated

Hasta La Vista, Baby
Mar 10, 2021
500
125
43
34
FP$
1,500
Email Address - if they can both confirm that the email on the original account is theirs and recite a verification code emailed

What are your thoughts on members who delete their old email accounts?

I wouldn't say that's a very reliable thing to go off of. Especially if the member made the account 5 to 10 years ago and didn't think about how it would effect their account on your forum. Many email services now give the option if you decide to delete it.
 
Last edited: