Unfortunately security questions aren't much better. The best solution is to expect the user to safely and securely store a reset-key (kind of like Mozilla's Sync).
However, to the average, non-techie user this is
* Bad UX
* They won't store it securely
* They'll lose it
Another option is using public keys with some form of transition mechanism.
However, to the average, non-techie user this is
* Bad UX * They won't store it securely * They'll lose it
Another option is using public keys with some form of transition mechanism.