0

I run a SaaS used by teams to collect company-related information (think something like Crashlytics). Even if the tool lets users invite their colleagues, we often find cases of individuals who created an account for their company but they're the only users in the team. We then end up having requests from their colleagues asking to access the account, for example when those people leave the company.

The data collected mostly belongs to the company (not to the individual), so the request often makes sense.

By talking to these people you can often feel they're legitimate colleagues who lost access to their data (like they know some details about what's in the account or their email addresses belong to the same company) but you can never be 100% certain of their good intentions. Allowing an unauthorized user access an account without strict verification would be a massive breach, so for now we deny such requests but that's not a great user experience, of course.

I was thinking maybe a potential way to solve this would be by using some company-related security questions, but I'm also open to other options. Do you happen to have the same problem and have you found a solution? Where can I find some best practices for account recovery procedures?

Thanks!

gimix
  • 283
  • 2
  • 9
  • 1
    Verifying domain ownership might be a possibility. – AndrolGenhald May 16 '18 at 19:13
  • I ended up doing what @AndrolGenhald suggests: this problem mainly appears on professional email addresses because when a person leaves the company their email account is usually disabled or made inaccessible. In professional domains, the owner could configure the incoming email server to receive our password recovery emails, so actually verifying ownership makes their life easier (no need to tinker with email servers) while we're not relaxing our security measures. – gimix Jun 10 '18 at 17:22

0 Answers0