The thing is, those channels are already used by most services for password reset.
So, a user could implement this workflow themselves already.
Basically, create a password for the site that you don't even know yourself when you sign up. Make sure you select the appropriate "keep me logged in" option.
Now, if you ever get logged out, go to a different computer or otherwise clear your cookie, you just "reset" your password... which generally involves sending you an email that lets you login to the site based on the link or code provided.
This approach is simply making that the norm and doing away with the (probably insecure anyway) password for the site.
If email and SMS aren't secure for password recovery, what alternatives do we have that scale and provide for a quick and user-friendly experience?
With this approach, you don't have to store or remember your password. Just "reset and forget" whenever you want to start a new session. The only risk is in the few minutes your temporary password is in transit and sits in your inbox before you replace it with something ridiculously difficult to crack (or remember). It would be awesome if password reset pages offered the option of encrypting with a PGP public key to eliminate even that risk.
With this approach, you're at risk every time you log in. Why on earth you want that I have no idea.
If you create a ridiculously difficult to crack password once, you don't have to keep doing it. If it takes 50,000 years to crack, creating a new one 3 days later will not make you more secure.
If you're going to the level of PGP to send yourself a new password every time you log in, just use client certs!!!
Let me put this in more plain terms, because I want you to understand exactly why what you're doing is wrong.
Now that I know you always reset your password, i'm going to find a way to intercept your e-mail. (There are many.) Then i'm going to automatically reset your password as soon as the mail is delivered, faster than you ever possibly could by hand.
If you had just remembered or saved your password in the browser this would have been impossible. Now your account is compromised because you thought it was easier to go through 4 steps every time you log in versus just logging in with a saved password.
So, a user could implement this workflow themselves already.
Basically, create a password for the site that you don't even know yourself when you sign up. Make sure you select the appropriate "keep me logged in" option.
Now, if you ever get logged out, go to a different computer or otherwise clear your cookie, you just "reset" your password... which generally involves sending you an email that lets you login to the site based on the link or code provided.
This approach is simply making that the norm and doing away with the (probably insecure anyway) password for the site.
If email and SMS aren't secure for password recovery, what alternatives do we have that scale and provide for a quick and user-friendly experience?