I’ve had a very courteous email from one of the founders of ALLOW, following my analysis of their password reset procedure.
“Thank you for your feedback regarding the security of our platform. We are constantly reviewing these processes and regard our members security as paramount, whilst ensuring our processes are navigable to the majority of the UK. We have had the platform professionally penetration tested but your email demonstrates an excellent understanding of the challenges and we would welcome your suggestions on our options of improving the password reset process.
“We will be extending our SSL certificate to the publicly accessible website and please be assured that this is held on a different architecture to that of the Member application.”
This is very promising!