You can see a link Forgot Password? nearby almost all login form.
As I mentioned in question, Since passwords are completely protected from outside access unless owner reveal, I come up with this question. I accept forgot password process highly secure. However I want to give my application little bit users-friendly.
I want just ignore the process like 1. Get user email id, 2. Generate temporary password/Encoded token. 3. Send it to user's email. 4. Force the user to sign-in their email 5. Get them back to application through attached link 6. Ask them into enter new password. and more if any further authentication needed.
Yes I can accept OAuth is in other hand. However, I just want to give dual password option to user, Instead of process OAuth. So that if user forgot the password, he/she can use second one and again get into application.
If I do these things, what are the security issues in that?
WorstCases If the user again forgot the password for Email account or account is deleted or removed. What would be the alternate way?
Why should I became a dependent of other guy(OAuth)?