Seems like a hard problem. You could keep track of IP addresses that the user plays from, and allow resets from that IP. You'd only want to do this for very low risk types of accounts. Sadly, game sites tend to be high target for account takeovers, so this may be a very bad idea. Adding some other fingerprinting would help.
In fact, the more I think about it, there's a paper I saw that can identify users solely by their mouse movements. If you maintained that kind of fingerprinting in game, you could simply ask the user to play a few rounds then offer to reset if they're from a typical IP address. Might work well for this particular website.
In fact, the more I think about it, there's a paper I saw that can identify users solely by their mouse movements. If you maintained that kind of fingerprinting in game, you could simply ask the user to play a few rounds then offer to reset if they're from a typical IP address. Might work well for this particular website.