What are best practices for activation/registration/password-reset links in emails with nonce

Question

Applications send out emails to verify user accounts or reset a password. I believe the following is the way it should be and I am asking for references and implementations.

Answer 1

About password reset:

The practice of doing this by sending an email to the user's registered email address is, while very common in practice, not good security. Doing this fully outsources your application security to the user's email provider. It does not matter how long passwords you require and whatever clever password hashing you use. I will be able to get into your site by reading the email sent out to the user, given that I have access to the email account or am able to read the unencrypted email anywhere on its way to the user (think: evil sysadmins).

This might or might not be important depending on the security requirements of the site in question, but I, as a user of the site, would at least want to be able to disable such a password reset function since I consider it unsafe.

I found this white paper that discusses the topic.

The short version of how to do it in a secure way:

1. Require hard facts about the account

   1. username.
   2. email address.
   3. 10 digit account number or other information like social security number.

2. Require that the user answers at least three predefined questions (predefined by you, don't let the user create his own questions) that can not be trivial. Like "What's your favorite vacation spot", not "What's your favorite color".

3. Optionally: Send a confirmation code to a predefined email address or cell number (SMS) that the user has to input.

4. Allow the user to input a new password.