I just finished an update of my white paper that describes best practices for creating a secure "forgot password" feature. There are two important additions to the paper.
- A section to describe an extra step that can be taken to provide even more protection. This step involves using email as an out-of-band communication channel.
- A paragraph to explain that the recommendations may not be feasible for all web sites. The concepts presented in the paper are most relevant for organizations that have a business relationship with users.