For Password Self Service, we do not want to use authentication but just enter a existing user ID to login to the page. . As a standard the users password is being reset immediately and sent to the email address in user master. This way it is possible to reset other user accounts password (when logging in with that user name).
is there a way to prevent this? For example a very commonly used confirmation email asking the user if it was really them asking a password reset, and then only after confirmation the password is reset?
Any help / tips much apreciated!