You haven't been developing web apps very long, have you?
Steps 5 and 6 are horrible from a UX perspective and actually lower security a tiny bit.
By emailing out a single use password you make it possible for someone to eaves drop on the email train and login to your site using the single use password that you sent over email ... in clear text, over a system that may end up easily being stored on disk and snoop-able on many computers.
There is absolutely no reason to email them the password, you've already verified the email address is viewed by the user, doing it again just exposes that information to other people who may not know the users 2 security questions, but do already have access to the users' email.
You've effectively made your security questions useless if someone hacks the email account in the first place, which is often the case before using that to spider out and discover other services the user has. (You check the users sent/inbox/archive for emails from certain email addresses that are used by various services and can quickly tell the user does use specific services.)
Emailing a password is ALWAYS BAD PRACTICE.
Did you hear me? ALWAYS.
When you think you've figured out a way to make it 'safe'. Jab an unsharpened pencil in your eye as punishment and remember: ITS ALWAYS A BAD IDEA TO EMAIL PASSWORDS.
I'll go ahead and not bother pointing out how bad of an idea 'pre-defined' security questions are at this point, seems like you probably need to do some brushing up one security practices from someone who knows a bit about what they are doing. FFS, there are frameworks for every major web dev environment for user auth recovery. You shouldn't even be rolling your own.