a challenge based on public key crypto, user has a known public key and can sign a specified message with his private key to prove he owns that public key while remaining anonymous.
This also allows for password recovery in the opposite direction, site can publish passwords signed with users public keys and then users can decrypt their own using their private keys.
This also allows for password recovery in the opposite direction, site can publish passwords signed with users public keys and then users can decrypt their own using their private keys.