Our login recovery process applies in very specific, rare situations:
- You have lost your login information and access to your email address at the same time.
- You have a two-factor authentication configured, your second factor is lost or broken, and you don't have one-use recovery codes saved.
- We determine that control of a membership and the associated email address have been hijacked or transferred to someone other than the named member.
To recover access to a membership in these situations, we offer a variety of possible recovery actions, and a certain number of them must be completed successfully. The login recovery process is very onerous (by Internet standards, anyway; it's not really that difficult) and since its goal is to prevent illicit membership access, you will probably find that we are not very helpful while you are completing it.
These recovery actions can be performed by any member at any time:
- You provide a legible, unredacted image of a currently-valid government-issued photo ID matching the name on the membership. Examples include a driving license, passport, or state-issued ID card. All ID's are considered on a case-by-case basis, but a good rule of thumb for whether a particular photo ID will be acceptable is whether it shows your date of birth and whether you can go to prison for forging it. (Note: Most school-issued ID's do not meet our requirements.)
- You provide a legible, unredacted image of a preprinted statement showing a transaction matching the date and amount of a recent deposit to an account on your membership and the (personal or business) name we have on file for the corresponding account. This usually means a bank or credit card statement. PayPal and Dwolla provide downloadable monthly statements that you can use, but you will typically then also have to verify your address as described below. Email receipts and screenshots (e.g. from PayPal, Dwolla, or us) are not acceptable.
- If (and only if) you lose access to your email: We try and fail to contact you via the email address we currently have on file for your membership. (This one may take a long time.)
- If (and only if) you lose your configured two-factor authentication device: We successfully contact you via the email address we currently have on file for your membership.
These optional actions must be set up in advance from the profile tab in our member interface in order to be used for recovery:
- You complete SMS verification. (Requires SMS to be configured in advance.)
- You complete two-factor verification. (Requires two-factor authentication to be configured in advance.)
- You correctly answer your pre-set security question. (Requires a security question and answer to be configured in advance.)
- You use an ssh key to create a file with a specific name on one of your sites hosted here. (Requires an ssh key to be configured in advance. Also requires that you have access to at least one currently-working site hosted by us. Caution: If you are out of funds, your sites can't be accessed!)
The default number of actions required to recover a membership is three, but this can be customized from the profile tab in our member interface to make recovery (and consequently hijacking) more or less onerous.
If (and only if) you choose to provide both a photo ID and an account statement, then at least one must display the same official mailing address as that shown on the corresponding account. If neither does, you must additionally provide address verification, typically a utility bill, lease, or property tax bill matching both the address and the surname or company name on the account (either currently or contemporary with the deposit). If you are providing either photo ID or an account statement, but not both, then you can skip this requirement.
The third and worst case scenario is that you have two-factor authentication configured that isn't working and you didn’t save any one-use recovery codes and you don't know your login and password and your member contact email address isn't working. This case is so spectacularly unlikely that even if your recovery settings are lower, you will have to complete all possible verification steps to regain access to your membership. Seriously, don't let this happen.
Unfortunately, the vast majority of "I lost all my information, please make an exception to your security practices and let me in" requests we receive come from people trying to gain illicit access to someone else's membership. NearlyFreeSpeech.NET takes the security and privacy of our members' services very seriously. We believe our members know that we are serious about protecting their privacy and security. We believe that's at least part of the reason a lot of them pick us. We believe that they expect us to live up to that in situations such as these so that when they emerge from it, they can be supremely confident that their membership can't be hijacked by the first person who comes along with a good story. Consequently, we automatically construe any attempt to convince us to make an exception to our standard practices as an attempt by an unauthorized party to socially-engineer illicit access. This includes threats, attempts at negotiation, sob stories, and everything in between.