The standard Password Reset eMail text tells the User that if it wasn’t them that requested to change their password, just ignore the message…
It’s probably just me but this seems a little bit casual as it seems to be saying “Yeah, someone’s trying to gain access to your account but just ignore it”. Surely if someone’s trying to change your email, that’s quite a concerning scenario. Is there another step I can add that will make someone feel like they’re safe or do I really not need to concern myself about this.
For instance, right now I’m sitting in my office at home typing this. If my neighbour calls me and says “Hey, someone’s trying to defeat the lock on your front door”, I wouldn’t carry on sitting here ignoring it until they get in. I’d want to make sure that the police are on their way and that my dogs are waiting on this side of the door for them should they succeed. Should I therefore implement other steps in the password reset procedure in my app or is it really OK? And if I should put in extra steps, what should they be? I’m possibly just being paranoid about security.