So you have that neat little PDF file you ask people to download when they set up their account. And you thought that was so foolproof that no scenario could ever occur which might still lock people out, right? You thought you thought of everything.
Well unfortunately you didn’t. My laptop died. And along with it my nifty PDF emergency kit. So I have my email address. All my billing information. I can even send you my passport to prove who I am. I have my master password. I’ve got it all.
But since my laptop died and I have to use a “new device” to get in, your developers, in their infinite wisdom, decided that I need my key. Or I’m out of luck!
Unfortunately, because of this arbitrary requirement, over $100,000 of mine is now lost forever. I even tried the “forgot password” link and you even show me part of my recovery key!
So you know part of it. If not all of it.
But you’ve made a rule that if I don’t know it, I will never have access to my information again.
I’ve been sitting here for 4 hours sweating, with my head in my hands, until 3 AM trying to figure this out. Only to read all your “help“ documents and support replies basically telling people “tough luck”.
Lucky for your company, 90% of your customers only store passwords. So you haven’t had to deal with a bunch of lawsuits from people that have lost hundreds of thousands of dollars. They just have to go and reset all their passwords.
And they can. Because every other website on the Internet allows this. It doesn’t matter if it’s the IRS, my bank, or the most secure website on earth. They allow people to access their own accounts, no matter what.
So should you. Obviously.
You actually thought it would make sense to have a policy that in some circumstances, customers can’t access their own sensitive information?
This is a legal matter now.
I need your help. I need somebody to do something. An attorney is going to cost me a lot less than the money I’ve lost tonight because of your software has locked me out.
You might think this is a neat way to show the public that you’ve got extra security. But your job is to keep everyone else out. Not to keep me out. And if we need to establish that in a court of law, then we will.
I need you to help me get access to my account again. Or there will be a lawsuit. Period.
Before you rattle off “sorry this is the way it is“, I recommend you forward this thread to your legal department. Because anything you type is going to be included in the lawsuit.