安全密码重置，无需发送电子邮件

如何在不向用户发送电子邮件的情况下实现安全的密码重置功能?我存储了另一安全信息，只有用户应该知道，但是仅仅因为用户知道9位数字而让用户更新密码似乎是不安全的.

How do I go about implementing a secure password reset function without sending the user an e-mail? There is another secure bit of information that I store and only the user should know, but it seems insecure to just let the user update a password just because they know a 9 digit number.

请注意，由于我正在使用的服务器上的实际数据库用户受到限制，因此用户数据存储在简单的SQL表中.

Note that user data is stored in a simple SQL table due to limitations on real database users on the server I'm working on.

任何输入将不胜感激.

更新:
在尝试使用OpenID并记住该服务器不允许PHP(以及cURL)发出任何外部请求之后，我尝试再次使用PHP发送邮件.显然，我以前在该服务器上使用mail()的所有糟糕经历都消失了.

Update:
After making an attempt at OpenID and remembering that this server doesn't allow PHP (and thus, cURL) to make any external requests, I tried sending mail with PHP again. Apparently all of my previous terrible experiences with mail() on this server have gone away.

感谢您的所有输入，以后我可能会再次查看OpenID.

Thanks for all of your input, I may look into OpenID again in the future.