A small company has a website that provides online customer support. The company requires an
account recovery process so that customers who forget their passwords can regain access.
Which of the following is the BEST approach to implement this process?

A.
Replace passwords with hardware tokens which provide two-factor authentication to the online
customer support site.

B.
Require the customer to physically come into the company’s main office so that the customer
can be authenticated prior to their password being reset.

C.
Web-based form that identifies customer by another mechanism and then emails the customer
their forgotten password.

D.
Web-based form that identifies customer by another mechanism, sets a temporary password
and forces a password change upon first login.

Explanation:
People tend to forget their passwords, thus you should have a password recovery system for them
that will not increase risk exposure. Setting a temporary password will restrict the time that the
password is valid and thus decrease risk; and in addition forcing the customer to change it upon
first login will make the password more secure for the customer.