Best way is to lock the account then send email to account holder email address then keep it locked untill some security steps are made. (e.g. secret answer to a secret question). sms is sent through a mobile carrier and i dont think that you want to pay for all forgotten passwords/ hacking atempts. if you want i can make and integrate a login system with what features you want with php.