Here is the scenario… a web application has been implemented with the standard user management features… can create new users, the admin approves the users, can recover passwords and change security question + answer bla bla bla
What happens if a user forgets the password?… simple, just goto the password recovery page and answer the security question and get the new password in the email.
But what if he/she doesn’t remember the answer for the security question???