Account Recovery with Personal Email FAQ
Note: If you have forgotten your password and are looking for information about regaining access to your Lehigh computing account, please see the LTS Forgotten Password FAQ. This resource discusses how we are phasing out account recovery using security questions and transitioning to account recovery using emails.
What Changed?
Previously, when setting up your Lehigh account for the first time, you'd choose three security questions and provide answers to them. If you forgot your password, correctly answering these three questions would allow you to set a new password for your account.
Starting in May 2023, LTS began phasing out security questions to allow you to recover access to your computing account. The forgotten password reset system now sends a password reset email to the personal email address linked to your account. You can then set a new password for your account by following the instructions in the message.
Do I need to take any action?
To prevent any disruption to your ability to reset your computing account password, please check and, if necessary, update the personal email address currently linked to your account.
- Log in to the Computing Account Information webpage at accounts.lehigh.edu/displayuser.
- The email address currently linked to your account will be labeled "External Email" near the top of the page.
- If no personal email address is listed for you or the address is outdated, update it by logging into the Change Account Credentials webpage at accounts.lehigh.edu/change with the "Update recovery email" option.
- If you don't have a personal email linked, when you next change your password, you'll be prompted to add and verify one.
What kinds of email addresses work best for account recovery?
We have found that the most reliable email addresses are those with dedicated consumer-focused email hosts such as Gmail, Outlook.com, Yahoo, AOL, or Proton.me.
Email addresses on private email systems operated by organizations such as a workplace, a high school, or another university are less reliable. These email systems often delay or entirely block our messages, preventing you from receiving our password reset email when attempting to recover access to your Lehigh account. In addition, these accounts may be closed should you leave that organization. For instance, if you linked an email address from another university and later leave that institution, you might lose access to that email address and be unable to get your password reset email.
We will periodically ask you to verify your recovery email address again so you can be confident that you can use it to recover access to your Lehigh account.
I am not receiving my confirmation or password reset email.
Email is frequently susceptible to delay; you may need to wait up to 15 minutes for our email to reach you. You may also need to check your spam or junk folder; your email provider may have incorrectly flagged our verification email as spam. After waiting and rechecking your spam folder, if you still don't appear to have received our message, try starting over and attempting to link your email address or request a password reset email again.
If you are trying to update your recovery address and are not receiving the confirmation: The provider of the address you're trying to link might be blocking our messages. Check the 'What kinds of email addresses work best for account recovery?' section for guidance, and if possible, try linking a different email address.
If you are trying to recover access to your account and are not receiving your password reset email: Contact the LTS Help Desk for assistance regaining access to your account.
How will LTS use the email address I link to my account?
The recovery email address you link to your account will only be used for the following purposes:
- Allowing you to establish your account credentials or recover access to your account should you lose it.
- Alerting you to important events related to your account, such as your account password being changed.
- Communicating with you if your Lehigh account is administratively locked.
We fully understand and deeply respect concerns about privacy and unwanted communications. We will not share the personal email address linked to your account with third parties.
Please note that when you link a new recovery email address to your account, it will not update your personal email address in Banner. If you'd like to change the personal email address used for communication by other offices at Lehigh, you can do so by logging in to Self-Service Banner and adjusting your personal information.
What should I do if I don't have a personal email address?
If your Lehigh email is your only email address, we strongly recommend signing up for a personal email account with a reputable provider. We specifically recommend Google's email service, Gmail. The enterprise version of Gmail is the service that backs Lehigh email accounts, and the free personal version should look and feel very familiar.
A personal email account also gives you more independence and flexibility. For instance, should a technical problem result in your Lehigh account being inaccessible, your personal email account would be unaffected.
What do I do if I cannot obtain a non-Lehigh email address?
Contact the LTS Help Desk, and we will assist you with obtaining a personal email account or discuss other potential account recovery options.
How does this affect Lehigh Organizational Accounts ('in' accounts)
Organizational accounts, usually called "in accounts", are automatically configured to send password recovery emails to the account owner's Lehigh email. For example, suppose the user 'abc123' is on record as the owner of the account 'inexample' and needs to reset its password. After accessing https://lehigh.edu/forgot and entering 'inexample', the password reset email will be sent to abc123@lehigh.edu.
Why is Lehigh moving away from security questions?
As research activity at Lehigh intensifies and the regulations governing Lehigh's information systems change, the University is expected by our research partners, grant-making organizations, and the US Government to comply with the information security standards set by the National Institute of Standards and Technology (NIST). As of 2017, NIST no longer considers security questions an acceptable authentication method. Of the alternative authentication methods NIST allows, we believe that the email-based recovery strategy we are transitioning to best balances meeting these security expectations while minimizing disruption to the Lehigh community.
Why are security questions no longer considered to be secure?
Security questions function similarly to passwords, aiming to validate your identity based on your knowledge. Because of this, they share many of the same pitfalls associated with passwords, and the strongest security questions and answers manifest as second passwords. This presents a dilemma: The more secure your questions and answers are, the less effective they are in recovering your account if you forget your password. Security questions that are effective for account recovery rely on factual information about you that will stay the same. With the rise of social media and the increase in frequency and severity of data breaches, personal details frequently chosen for security questions can be found or inferred from publicly available information. In many cases, security questions and their associated answers are often breached, such as during the compromise of Yahoo in 2016.
For immediate help, contact the LTS Help Desk (Hours)
EWFM Library | Call: 610-758-4357 (8-HELP) | Text: 610-616-5910 | Chat | helpdesk@lehigh.edu
Submit a help request (login required)