Multiple user account reset requests invalidate prior request tokens

[zfi]

When a user requests a password reset, the app obtains a token, creates and sens an email to the user's email address. The email contains a URL and a token that can be used to reset the user's password. If the user submits a second request prior to acting on the first email, the app rescinds the token provided in the first email and issues a new token and email to the user. We have reports of users doing this several times in quick succession if the reset email is delayed for any reason.

One possible solution to this is to advise the user that a password reset is already outstanding (in process) and provide an option to resend the reset token to the registered email address. I really think we need to provide some feedback to the user to let them know that, under the existing system, they are going to break the current password reset process and start anew.