I guess the usual trick for verifying identity is to send the person an email with a one-use URL (or similar) to respond yes or no. Would that be enough (do hcoop members already have an email address associated with them?)?
~d On 2014-03-22 14:37, Clinton Ebadi wrote: > Greetings, > > To reset passwords, we try to require members make a small payment > using > the checkout or paypal account listed with the portal. Stripe, > unfortunately, is a bit looser with its notion of an account for > customers, and they really only amount to an email address. > > So: the question is how we support Stripe for password resets... > > There's a complicated way involving Stripe Customer instances and other > things I'd like to avoid for the moment. > > A simpler way that I'm not entirely sure of... Stripe provides a > unique fingerprint of every card used to pay us. We could: > > * Store the fingerprint along with the stripe_payment, allowing a > reset > using any card ever used to pay for that member. > > or > > * Store the last used fingerprint for each member, requiring password > resets to use the last used card. > > or > > * ??? > > For the time being, I am going to punt on non-Paypal password > resets. I'd really like to hear some ideas -- I don't want to march > forward blindly into accidentally weaking identity verification. > > If we figure this out, password resets via Stripe should be much nicer > than Paypal/Checkout. The passgen id# can be displayed and then added > to > the Stripe transaction programatically, and we can trivially charge and > then refund a small payment ($1? $5?) after verifying the card. This > would leave us with only one manual step (actually resetting the > password). > > _______________________________________________ > HCoop-Discuss mailing list > [email protected] > https://lists.hcoop.net/listinfo/hcoop-discuss _______________________________________________ HCoop-Discuss mailing list [email protected] https://lists.hcoop.net/listinfo/hcoop-discuss
