Best practice for resetting forgotten user passwords

Question

As far as I can think, there are two reasonable ways to reset a user\'s forgotten password.

1. Have the user enter their email address and a new plaintext pass

Answer 1

OWASP has a good checklist of https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet

Here is a quick summary of steps:

1. Gather Identity Data or Security Questions
2. Verify Security Questions
3. Send a Token Over a Side-Channel
4. Allow user to change password