I'll admit the email verification flow is janky, but it's the best we've got if you want to support some form of out-of-band password reset.
Ok, Ive given this password reset a lot of thought. I didn't know the term 'out-of-band' but this is an idea along lines of alternative method which doesnt rely on email
So background, lets say my forum
Contains no sensitive information, so not a terrible issue if a password recovery was hacked. So an easy reset password reset method wouldnt be a risk
it has infrequent posters. The amount of password reset requests was huge. People were re-registering
So solution could be Admins could allow users to opt into an easy click on picture reset (if they wanted the option)
Method, you can try this a maximum of say, once per month
Click your favourite:
Film: Comedy, Horror, Drama, Historical, Nature, Crime
Fruit: Apple, Banana, Pear, Orange, Coconut, Grape, Pineapple
Color: Red, Blue, Green, yellow, brown, Black, White
If the correct choices are clicked then you can reset password there and then
Probability of random hack 1/7 ^ 3 so less than 0.3%
Im sure there must be a name for this type of reset method, its a kind of variant of answering 3 memorable questions, but less to recall.
if the words are accompanied by pictures most people remember the 3 items they chose
