Learn about how to keep your accounts secure while minimizing customer friction
The average American email address has 130 accounts registered to it, and the number of accounts per user is doubling every five years. This massive rise in accounts also means users are accumulating more and more passwords, making it inevitable that they will forget one from time to time.
These realities make password reset a necessity for any app. However, building a good password reset process is more than asking security questions. If your password reset process makes life harder for your customers, you’ll be giving them a reason to stop using your service.
Good password reset processes do two things:
Email is most commonly used for password reset because it satisfies both these criteria. It minimizes friction as typing in an email address is quick and easy for a customer, and it will protect their information as only the customer should have access to their inbox.
A single misstep in password reset can ruin your customer’s entire experience with your product. These mistakes often come in the form of:
With Auth0 Lock, you can do everything listed above in a secure way. Because it is built on top of Auth0’s framework, everything is built for you. Auth0 Lock combines the easiest possible reset process with the highest standard for security. The reset process looks like this:
Customers who’ve forgotten their password simply click the “Forgot Password” button and are taken to this screen:
Important: Navigate to Dashboard > Account Settings > Advanced to check if the Change Password flow v2 toggle is enabled. If it is, make sure to use Lock version 9 or later for this password reset flow.
After entering their email, the customer will then see this banner:
The banner is shown even if the email address is not registered to an account, meaning that attackers won’t be able to try different emails to see if a particular customer does or doesn’t have an account.
In their inbox, the customer will find this kind of email:
This One Time Password link requires a single click, and ensures the password is not displayed in plaintext. Clicking the link brings the customer to this screen: