Embedding a reset-password form directly in email?
Typically a password reset flow is tedious, first you submit your email on the site, second you check your emails for a link, click that link get redirected to a form where you finally reset your password
I think most email clients can support HTML forms, what would you think of inlining the reset password form in the email directly? any cons?
The threat for phishing attacks grows exponentially. When you redirect users to your webpage, they see a padlock in the URL bar, can check the certificates easily, and get a big red warning screen if the URL gets reported. They also have the option to go the page manually, knowing for sure they're in the right place. In their email client they have none of those. As an attacker I could just as well email a form that asks for their old password in the form in order to get a new one.
It's harder for the user to tell that the email is from the right website, as opposed to checking the domain in the address bar.
If i send an email from "Google" with a password reset form, would people type their passsword and hit submit ?