Password reset by emailing temporary passwords

Question

A group in my company is implementing a single-sign-on REST API for our applications. This authentication service has a password reset function. The application sends the user

Answer 1

In both cases, the private information (temporary password or reset link) is transmitted over the same medium. From this point of view, there's no difference in security. However, the reset link as a few advantages: You force the user to choose a new password. As soon as he does so, the link is void and cannot be abused. Temporary passwords, on the contrary, tend to be not as temporary as you like. Even if you force the user to choose a new password on the next logon, he is likely to enter the temporary one again.

Additionally, you can log the IP of the one who uses the reset link, so have at least something to hand over to the authorities if necessary.