Assume the IP address changes. This means either malice, or a ISP with a rotating pool of proxy IP addresses. Either way, you need something stronger to fix this.
You should re-challenge for non-password information (secondary password, favorite color, SSN, phone call, whatever). Then walk them through secondary authorization with SSL certificates… like myopenid does.
And if the requirements of your application include the
ability to accept such input… then what do you suggest?
I just love how programmers think that they get the final
say when it comes to functional requirements.
You love odd things… and I already took that into account. Read this article about what Jeff is doing, and you’ll see my proposal fits in fine with the functional requirements:
http://www.codinghorror.com/blog/archives/001116.html
Offhand… I can think of no good reason why a non-trusted user should be allowed to use more than 5-10 safe HTML tags. If I’m wrong, I’d like to see what you think the requirements are.