It sounds like you are going to do a lot of extra coding, to make all of your users come up with security questions and answers, to avoid confusing a user if a poser tries to get his kicks by triggering an unwanted email.
Doesn't that just inconvenience everyone? Do you anticipate a level of abuse that would warrant that?
Maybe I'm missing something. I've never had an issue with the "Forgot Password" email.
The way the forgot password feature works currently in SA (if my understanding is correct), is that any person can click on the forgot password link which prompts for an email address (in our case, the email address is their MemberID because it's unique to them). Once the email address is supplied, the owner of that email address is sent an email containing a password that contains the plain text version of a randomly generated password. Meanwhile the encrypted version of the new password is saved in the database for the owner of the email address (our client).
The problem here is that ANYONE could supply an email address for someone else which would cause a new password to be generated and stored in the database despite the fact that the owner of the email address didn't request it (sometimes the owner of the email address may request it, but there's nothing stopping someone else from entering the user's email address).
When users create their profile the first time, they enter their contact info, and pick from a list of questions we have stored in a table. A question might be "what is the name of your favorite pet?". The user answers this question with a name. They could also choose a question that is more complex that requires a multiple word answer (which is what we suggest they do). It's their choice. We store the question they picked plus their secret answer in their profile. The purpose of the secret question/answer is to ensure we are dealing with the actual user (our client) and not a poser.
It isn't a lot of extra coding because we simply create a table with the list of secret questions and present that to the user in a drop-down list dynamically on their profile page. The question they pick is an option number that corresponds to a question in the secret question table. They don't make up a secret question, they pick from a list of questions and then supply their answer (in the telecom industry there is a law regarding what the questions can be). We can easily retrieve and display the question because we stored the option number from the dynamic list of questions along with their answer in their profile.
The key here is that we are trying to stop posers that are trying to screw with an account because they think it's funny or they are trying to cause our business harm by causing confusion for our customers when our customer gets an email saying their password has been reset (and they didn't request it). The person clicking the forgot password link does NOT need the email address and password because the whole idea here is that the person couldn't remember their password (for the legitimate user). This is to address a person that doesn't necessarily want to get access to the user's info, but more that they intend to cause problems for our clients or our business by creating confusion.
It's already occurring in our business and causes problems for us because we get phone calls from the client wanting to know who requested a password change since they didn't do it. When you find yourself dealing with a few hundred thousand clients, the phone calls and answering emails quickly becomes a problem that costs us money and affects our reputation not counting the hassle for our clients. Picking a secret question from a canned list of questions and supplying a secret answer is very minor since it only occurs when the profile is set up. We offer them the ability to select a new question and supply a new answer when they want to edit their profile info, but they may choose to never change this again after the initial profile was created. Sometimes the secret Q/A is changed because a new person (representing a company) takes on the role of the client and didn't like the previous secret Q/A.
Hopefully this clears up some of the confusion.