Hi Sven

The designs are looking great. Everything looks really clear and easy to follow. Had a look from a security perspective and found the following.

I think the login process should have a maximum number of failed logins before the account login is locked. To prevent brute force attacks. The account could be unlocked by going through the reset password process or after a period of time (e.g. 1hour). Annoying I know but good security practice.

Have one concern regarding the forgot login data - step 4 a. Giving an error message 'email not found' allows for email enumeration.

The forgotten login endpoint suggests that the application is checking if the email was delivered successfully. If the application can check it also allows for email enumeration. It should have a generic 'Email has been sent' message.  This last one may be me misunderstanding the message.

Dan