Password reset by emailing temporary passwords

Question

A group in my company is implementing a single-sign-on REST API for our applications. This authentication service has a password reset function. The application sends the user

Answer 1

There are plenty of more secure ways to reset a password. All of them are highly inconvenient to your users and expensive to maintain. Having every user send you a DNA sample and fingerprints and then requiring them to show up in person to be verified should help with your security. I'm surprised your top secret organization is allowing you to get security advice on stackoverflow. All kidding aside, how secure does your application need to be? Will attackers really be resetting your user's passwords and then accessing their email?

XKCD always says it best http://xkcd.com/538/