What would be the most user-friendly way to request a lost password if remembering it from mail isn’t practical?
I'm developing an app in which the user can set a password for it so it has to be entered if the app is desired to be accessed. That password is just for their own use of the application if they wish to not allow access to it easily, so I don't store them in a server, it's stored in their own device in a hidden way.
At first, I had though about implementing the typical resending of the password to a email they have initially defined, but this supposes a big problem, any hacker will be able to easily get the user and password of the mail server by studying the code via a disassembler, that's a huge security fail, only way to be solved would be to convert the device in a mail server itself, which is a lot of job that is not worth it.
I had thought about implementing the secret question that was highly used some years ago, but maybe some other ways are possible that are user-friendly.
Which would be these ways, if any?