- User is not logged in
- User selects "forgot password"
- User enters username or email address
- An email is sent to the user to reset their password. Email contains a link to the "reset password" page and a token that expires
- User is prompted to enter old and new password
- After reset, returned token is invalidated