Password reset by emailing temporary passwords

Question

A group in my company is implementing a single-sign-on REST API for our applications. This authentication service has a password reset function. The application sends the user

Answer 1

There's not really a better way for the general public. If it's an internal app, you could conceivably send encrypted e-mails that users have to decode with PGP, but that'd never fly for external users unless you've got a very high-value, niche product.

If e-mail is out, you'd have to use something like security questions, but they have their own (more significant, in my opinion) issues. Issues include:

• Guessable. Questions like "favourite colour" are fairly susceptible to guessing common choices like 'red', 'blue', 'green' etc.
• Findable. Many are things off a Facebook/MySpace/Twitter/Flickr profile or otherwise Googleable.
• Forgettable. I've selected "favourite vacation spot" and then a year or two later not been able to remember what I'd picked.
• Hard to parse. If I type "St. Paul" for a city name, but later come back with "Saint Paul", would that be accepted?