Auth & identity
July 19, 2021
Author: Reed McGinley-Stempel
For those still using password-based authentication, implementing a password reset flow can be a frustrating step. Not only is it a headache to build, but it introduces unnecessary friction to the user experience and frequently results in users abandoning the interaction.
A password reset flow is essentially a passwordless login with many additional steps tacked on. By leaning into this and using passwordless solutions as an alternative to password resets, you can delight your users and increase conversion and engagement.
To illustrate this point, we’ve identified three ways a password reset flow can undermine your app’s performance—and a glimpse at how passwordless solutions can help.
The password reset flow is often an afterthought. If you’ve spent multiple sprints building a secure password login, it feels reasonable to wait on the password reset process and focus on your core product.
After all, how many people will really forget their password in the first months after launch?
The truth is, users are creating exponentially more passwords each year as they discover new apps and open new accounts. And the more passwords they accumulate, the likelier they are to forget them.
So, when’s the right time to build a password reset flow? If you’re choosing to rely on password-based authentication, it’s right away—before that first forgetful user reaches out for help.
(Of course, we’d say never. If you go fully passwordless, you’ll avoid this problem altogether.)
It’s easy to forget that the password reset flow is really just a multistep email verification process.
But instead of receiving a quick email login link—otherwise known as a “magic link”—they’re seeing something like this:
Step 1: User forgets password.
Step 2: User clicks “Forgot password?” link.
Step 3: User enters email and requests password reset flow.
Step 4: User opens inbox and clicks the password reset link.
Step 5: User creates a new password with a set of 10 elaborate security requirements.
Step 6: User confirms new password.
Step 7: User is redirected to the original login page.
Step 8: User enters username and new, complicated password.
In this case, for a simple email verification, a user must navigate eight increasingly convoluted tasks—all to set up a complex new password they’ll likely forget again in a couple of days.
Once a password reset flow has been built, engineers tend to forget about it. But by not tending to it on a regular basis, you might miss out on key opportunities to boost user experience.
Studies have shown that a weak or outdated reset flow can have a significant impact on your business and even make users vulnerable to cyber attacks.
Common blunders—like sending plaintext password reminders, asking for information that is easily findable online, or using error messages that disclose if a specific email address is registered—can pose huge security threats. And demanding too many (or the wrong kind of) verification tasks can frustrate users and lead them to abandon the reset flow altogether.
To put that another way: with a high-friction password reset flow, you’re losing 7.5% of high-intent users before they’ve even had a chance to engage with your application.
With all the problems a password reset flow can cause for an app, it’s worth considering how passwordless tools can improve the process.
Forward-thinking companies like Instagram are choosing to optimize user experience and retention by replacing the password reset flow with passwordless options like email magic links.
Using an email magic link cuts the tiresome eight-step password reset flow down to two simple steps. When a user clicks the “Forgot password?” link, they are prompted to enter their email address. If registered with the app, they’ll receive a magic link in their inbox which, when clicked, automatically signs them back into their account.
That’s it. No fuss, no complicated new password, no compromised security. Once a magic link is used, it becomes invalid, so there are no loose threads that could put an account at risk.
A poorly executed password reset flow can have big consequences for your users and your business.
Why not avoid the issue altogether by going passwordless? Secure, efficient passwordless options are available and can go a long way towards removing burdensome flows, improving the developer and user experience, and boosting conversion rates. Even if you’re not ready to fully eliminate passwords from your application, you can follow our simple guide for using the Stytch API to replace your password reset flow with a one-click email magic link.
Stytch helps you go passwordless by providing easy-to-integrate API and SDK authentication solutions. Let us build the infrastructure, while you focus on your core product.
Sign up for free to start using the API.
Stytch is on a mission to eliminate friction on the internet. Learn more about our modern, passwordless approach to authentication.