A group in my company is implementing a single-sign-on REST API for our applications. This authentication service has a password reset function. The application sends the username to the reset function. If that username is associated with an email address, then an email is sent to that address with a temporary password.
The other approach seems to be sites which email a secure, temporary link which presents a page for the user to input a new password. This page only exists for a short period of time.
I know that email is not a secure protocol, so people could sniff the traffic and recover either the temporary password or the temporary link.
Are there any significant security reasons to prefer one method over the other? Is there another, more secure way to do this?
In both cases, the private information (temporary password or reset link) is transmitted over the same medium. From this point of view, there’s no difference in security. However, the reset link as a few advantages: You force the user to choose a new password. As soon as he does so, the link is void and cannot be abused. Temporary passwords, on the contrary, tend to be not as temporary as you like. Even if you force the user to choose a new password on the next logon, he is likely to enter the temporary one again.
Additionally, you can log the IP of the one who uses the reset link, so have at least something to hand over to the authorities if necessary.