Forget the password reset flow as you know it


Auth & identity

July 19, 2021

Author: Reed McGinley-Stempel


For those still using password-based authentication, implementing a password reset flow can be a frustrating step. Not only is it a headache to build, but it introduces unnecessary friction to the user experience and frequently results in users abandoning the interaction.

A password reset flow is essentially a passwordless login with many additional steps tacked on. By leaning into this and using passwordless solutions as an alternative to password resets, you can delight your users and increase conversion and engagement.

To illustrate this point, we’ve identified three ways a password reset flow can undermine your app’s performance—and a glimpse at how passwordless solutions can help.

1. Users forget their passwords, and they forget them faster than you think

The password reset flow is often an afterthought. If you’ve spent multiple sprints building a secure password login, it feels reasonable to wait on the password reset process and focus on your core product.

After all, how many people will really forget their password in the first months after launch?

The truth is, users are creating exponentially more passwords each year as they discover new apps and open new accounts. And the more passwords they accumulate, the likelier they are to forget them.

According to a recent study, over 20% of users report forgetting a newly created password within two weeks. That number climbs to over 70% after just a few months.

Joint study from Mastercard and the University of Oxford

So, when’s the right time to build a password reset flow? If you’re choosing to rely on password-based authentication, it’s right away—before that first forgetful user reaches out for help.

(Of course, we’d say never. If you go fully passwordless, you’ll avoid this problem altogether.)

2. The password reset flow is just an overly complicated email verification

It’s easy to forget that the password reset flow is really just a multistep email verification process.

When a user goes through a password reset, they’re essentially experiencing passwordless authentication.

But instead of receiving a quick email login link—otherwise known as a “magic link”—they’re seeing something like this:

Step 1: User forgets password.
Step 2: User clicks “Forgot password?” link.
Step 3: User enters email and requests password reset flow.
Step 4: User opens inbox and clicks the password reset link.
Step 5: User creates a new password with a set of 10 elaborate security requirements.
Step 6: User confirms new password.
Step 7: User is redirected to the original login page.
Step 8: User enters username and new, complicated password.

In this case, for a simple email verification, a user must navigate eight increasingly convoluted tasks—all to set up a complex new password they’ll likely forget again in a couple of days.

3. A high-friction password reset flow can lower conversion rates and put users at risk

Once a password reset flow has been built, engineers tend to forget about it. But by not tending to it on a regular basis, you might miss out on key opportunities to boost user experience.

Studies have shown that a weak or outdated reset flow can have a significant impact on your business and even make users vulnerable to cyber attacks.

Common blunders—like sending plaintext password reminders, asking for information that is easily findable online, or using error messages that disclose if a specific email address is registered—can pose huge security threats. And demanding too many (or the wrong kind of) verification tasks can frustrate users and lead them to abandon the reset flow altogether.

On average, about 10% of your active users will pass through the password reset flow each month. Of those, 75% will drop out partway through the multistep process.

To put that another way: with a high-friction password reset flow, you’re losing 7.5% of high-intent users before they’ve even had a chance to engage with your application.

Passwordless magic

With all the problems a password reset flow can cause for an app, it’s worth considering how passwordless tools can improve the process.

Forward-thinking companies like Instagram are choosing to optimize user experience and retention by replacing the password reset flow with passwordless options like email magic links.

Using an email magic link cuts the tiresome eight-step password reset flow down to two simple steps. When a user clicks the “Forgot password?” link, they are prompted to enter their email address. If registered with the app, they’ll receive a magic link in their inbox which, when clicked, automatically signs them back into their account.

That’s it. No fuss, no complicated new password, no compromised security. Once a magic link is used, it becomes invalid, so there are no loose threads that could put an account at risk.

Integrating passwordless solutions like email magic links and SMS logins into your app’s password reset flow is a great way to quickly improve the user experience.

Key takeaways

A poorly executed password reset flow can have big consequences for your users and your business.

Why not avoid the issue altogether by going passwordless? Secure, efficient passwordless options are available and can go a long way towards removing burdensome flows, improving the developer and user experience, and boosting conversion rates. Even if you’re not ready to fully eliminate passwords from your application, you can follow our simple guide for using the Stytch API to replace your password reset flow with a one-click email magic link.

Interested in ditching passwords?

Stytch helps you go passwordless by providing easy-to-integrate API and SDK authentication solutions. Let us build the infrastructure, while you focus on your core product.

Sign up for free to start using the API.

A path forward with Stytch

Stytch is on a mission to eliminate friction on the internet. Learn more about our modern, passwordless approach to authentication.


Get started with Stytch