The following is a quick post on how I would design a secure password recovery/ forgot password mechanism. I hope this is useful to you as you can use portions of this policy for your organization as well.
I would design a secure password recovery/ forgot password mechanism the following way:
First, if a user were to forget his/her password, I would require that he/she change it. This is because I do not believe that a user’s personal password should be sent over email, or SMS. While the application can take precautions like sending information via SSL or through VPN to the end user, an application can not ensure the physical security of that password. For instance, if a user were to leave his/her phone/email open in public, that password can technically be compromised.
Therefore, the first step when the user engages the forget password feature would be to ask the user specific information (username or email). This information would have been collected in registration. When this is complete, the user is then prompted to answer security questions in which they answered during registration. There will not be a drop down menu of questions/answers and the user will only have a certain amount of guesses to work with. If this is successful, a link will be sent to the user’s phone or email address allowing the user to change their password on a separate page. This link will only be valid for a short period of time and will expire after the password has been changed. Lastly, an audit will be kept for the frequency of password changes as this can be used to screen for malicious behavior.