I notice that the default ASP.NET Core Identity templates ask for email address after the reset email notification link has been followed (i.e. the "choose a new password" form in the ResetPassword.cshtml
view).
Why would having the user re-provide their email address when choosing a new password be more secure?
I get that the token could be sniffed from the email, but if that's the case, then surely the email address could be sniffed at the same time?