As a developer, I want to know the technical, security, and UX considerations for the password reset project, so that the CommTech team can properly prepare for the project.
Requirements:
- Investigate the technical and UX considerations of requiring both a username and email address to successfully generate a password reset request email
- Investigate how accounts with 2FA may be impacted by password reset changes and how we can maintain a smooth password reset process for them
- Investigate if we can have an email only reset option (i.e. username is not an available option). If yes, what would be the consequences (technical and UX)?
- Investigate the work required to have a default opt-in for new users with an associated email address (while old users remain default opt-out as default)
- Connect with Security team to determine if there are additional risks to take into account (note: we have had preliminary chats with Sam Reed in Security, but we should reach out again for this spike, if possible)
- Investigate what sort of logging may be helpful for Community Engagement or Anti-Harassment after this work is complete
- Query for what percentage of accounts:
- Don't have any email address associated with an account
- Don't have a confirmed email address (i.e. they have an email address associated with an account but it has not been confirmed)
- Have a confirmed email address
- Have a confirmed email address shared by another account (and, if possible, details related to distribution -- for example, perhaps some emails have 100s of accounts?)