Apple is trying to get rid of passwords with Passkeys. While their efforts are applauded, many existing websites may still be stuck with email & password for a long time.

Don't be dismayed however! The passwordless dream is already here, it's just unevenly distributed. The funny thing is all email & password logins require email to allow the user to perform a password reset.

A password reset would typically send the user an email with a link that allows them to enter a new password. If we squint, this means the user can prove they own the account by proving they own their email. The password was just a quick means to authenticate the user.

But this begs the question, why offer the user the ability to provide a password? Having to process and store passwords properly requires security review. This cost time and money. Why don't we forego all of this by simply having the user prove they own their email each time they wish to login? While the website still needs to handle email as personally identifiable information, at least it isn't as sensitive as a password. This will please secops regardless. Having to handle less data is always better.

This has many knock on effects as well. During registration, the user will no longer be prompted for a password. The user completes the registration by verifying their email. This ensure both the user owns the email and the email is legitimate.

Do you see user flows like Neo in The Matrix? We’d like to hear from you, Battlefy is hiring.