I'm looking to emulate the password reset flow from www.live.com. That is (skip email option for now):
1) Screen asking/confirming the username
2) Ask reset method (account verification or email reset)
3) Gather account info and verify it
4) Present user with a password reset inputs.
So I was looking for any tips on how to do this a proper way. I planned on having each 'step' post back to the same action and build up the model as I go (putting properties/fields into hidden inputs or regular inputs based on the step I was on). Then on step 4, I'd re-verify the account information (just in case someone tried to hack and post directly to step for with username and new password).
This would all be done over SSL and the only drawback I can see is that for step 4, I would be rendering the users 'secret question answer' in an hidden input so it could be submitted/validated again before completing the password reset.
Is this the proper way to implement this screen or are there some security holes I'm not seeing?