It has become very common for online communities to require a validated email address in order to use an account.

Validated means that the member entered the address, they were sent an email message with a link in it that they had to click – they viewed the message and clicked the link. Since they were able to access the link, that means they received the message and have access to that email address, which is real. Hence, validated.

This is a good thing because it gives you a verified means of contact. But, like any contact information, it can eventually slip out of date and when someone stops using an email address, or loses access to it, they sometimes forget to update the address in their profile section of your community. If they do this and lose their password, they may not be able to reset it. And when this happens, they may contact you.

As much as you’d like to help every person who contacts you, you can’t just give someone access to an account because they said it was their account. You can’t simply take their word for it. Given that most online communities usually don’t require more than an email address, this can put you in a tough place. But, when I am faced with these circumstances, there are a few things that I try.

Look at the Information They Did Share

While an email address might be all that is required, many members provide more than that. They provide instant messenger accounts, Twitter profiles, website addresses, etc. If you have an alternate means of contact that the member actually listed on their profile, you can use those means to verify that the member is who they say they are. If they have a website that is clearly associated with them, ask them to add a page to their website with a certain file name. If it’s good enough for Google Webmaster Tools, it’s probably good enough for your site.

This information may not only be in profiles, but in their posts, as well. Look for things that only the person posting from this account would have access to – means of contact that they themselves shared as actually being them.

Private Information Only They Would Know

This is what many companies – including financial institutions – do to give people access when they forget their password. Have you ever been asked your mother’s maiden name? Personally, I am kind of leery of that type of verification as your mother’s maiden name isn’t exactly private information.

That said, there may be private information that only you and that member know. For example, a private message conversation that you had. A post of theirs that you had to remove and what you told them about it. Look through your private message history or the member documentation to see if any of this type of information exists.

Whatever steps you take and conversations you have, document them in your member documentation. At the end of the day, you want to help people, but you need to be able to reasonably verify that they are the account holder, so that you can confidently give them access to the right person.