|
|
|
|
|
|
by kiritsinh
5447 days ago
|
|
|
I agree on the fact that 'Generate temp password' will require more dev and user efforts but i don't think 'generate password' is more vulnerable than the link if the generated password is time bound. Also to make 'the link' more secure we need to verify the user identity. To make that happen need to store the user identity in the application. |
|
|
No offense, but I listed reasons why it is more vulnerable.
>Also to make 'the link' more secure we need to verify the user identity.
What? No. That's completely wrong. You're inherently trusting the user's email address. Maybe make them answer a security question before sending the link, but otherwise, there's nothing else to secure.
If the user can't login, how do you plan to verify the user identity? And I have no idea what "need to store the user identity in the application" is supposed to mean...