I want to emulate the password reset from www.live.com. That is (until you specify the email option):
1) Screen requesting / confirming username
2) Ask for the reset method (account verification or reset email address)
3) Gather account information and verify it
4) Introduce the user with password reset inputs.
So, I was looking for all the tips on how to do this properly. I planned for each "step" to return to the same action and create a model as I submitted (placing properties / fields in hidden inputs or regular inputs based on the step I was at). Then, in step 4, I re-checked the account information (just in case someone tried to hack and send directly to the step with the username and new password).
All this will be done via SSL, and the only drawback that I see is that for step 4 I would provide a secret user response in a hidden form so that it can be sent / verified again before completing the reset password.
Is this the right way to implement this screen, or are there any security holes that I don't see?
Terry source
share