There is a possible security issue at the initial password token handling: Please prepare a second token transfer path. Issue: If the account hasn´t been created already, liquidfiles send the token e-mail to the receipient in a separate email. A hacker who can read this mail, can login to the liquidfiles account and steal informations. Is it possible to send the email with the token and the authentication link to the sender instead of the recipient? It makes sence to send the information via a second communication path like phone or whatever (sms is not an option for us).
Every single password reset function works this way by sending an email token to the account requesting the password reset. This is not likely to change. if you want stronger user account creation you can manually create accounts, including setting 2 factor authentication for the account before the account is created.
