We have an application where the user can clink on "Forgot My password" link to retrieve his/her password. Right now we do ask a security question as set by the user when the user enters the user id.
But going forward we want to send an email to the user with a link , so that the user can click on the link & then is asked the security question. This is to make sure that we do not expose the security question to the user directly after entering the user id.
Secondly, to make it more secure, how do I put a image verification , so that the user enters the text shown in the image before he/she does anything.
This is being currently used by google & other applications.