BattlefyBlogHistoryOpen menu
Close menuHistory

Password reset is just passwordless with more steps

Ronald ChenJune 20th 2022

Img

Apple is trying to get rid of passwords with Passkeys. While their efforts are applauded, many existing websites may still be stuck with email & password for a long time.

Don't be dismayed however! The passwordless dream is already here, it's just unevenly distributed. The funny thing is all email & password logins require email to allow the user to perform a password reset.

A password reset would typically send the user an email with a link that allows them to enter a new password. If we squint, this means the user can prove they own the account by proving they own their email. The password was just a quick means to authenticate the user.

Img

But this begs the question, why offer the user the ability to provide a password? Having to process and store passwords properly requires security review. This cost time and money. Why don't we forego all of this by simply having the user prove they own their email each time they wish to login? While the website still needs to handle email as personally identifiable information, at least it isn't as sensitive as a password. This will please secops regardless. Having to handle less data is always better.

Img

This has many knock on effects as well. During registration, the user will no longer be prompted for a password. The user completes the registration by verifying their email. This ensure both the user owns the email and the email is legitimate.

Do you see user flows like Neo in The Matrix? We’d like to hear from you, Battlefy is hiring.

Code is multicoloured
June 27th 2022

2022

Powered by
BATTLEFY