Password Reset Is Critical For A Good Customer Experience

Learn about how to keep your accounts secure while minimizing customer friction


Why Is Password Reset So Critical?

The average American email address has 130 accounts registered to it, and the number of accounts per user is doubling every five years. This massive rise in accounts also means users are accumulating more and more passwords, making it inevitable that they will forget one from time to time.

58% of users admit to forgetting their password frequently, and the average internet user receives roughly 37 “forgot password” emails a year.

These realities make password reset a necessity for any app. However, building a good password reset process is more than asking security questions. If your password reset process makes life harder for your customers, you’ll be giving them a reason to stop using your service.

What Makes A Good Reset Process?

Good password reset processes do two things:

  • They minimize friction for the customer. It shouldn’t take your customer more than a minute to reset their password, and the process should only require information customers are comfortable entering, like email addresses.
  • They make sure the customer’s information is secure. Providing safeguards against things like multiple failed logins and only sending information via secure channels.

Email is most commonly used for password reset because it satisfies both these criteria. It minimizes friction as typing in an email address is quick and easy for a customer, and it will protect their information as only the customer should have access to their inbox.

Why Is Password Reset So Hard To Do Right?

A single misstep in password reset can ruin your customer’s entire experience with your product. These mistakes often come in the form of:

  • Security questions – Static information is easy to obtain. Where you went to school, your mother’s maiden name, even your pet’s name, are probably available somewhere on the internet, making them available to attackers.
  • Passwords in plaintext – Instead of resetting the password, some sites send the original password back to the customer, which is a massive vulnerability. In order for a password to be sent in plaintext, it must be stored in plaintext, which means that the chances of attack are increased.
  • Error messages – If an application says whether or not an email address is registered, an attacker could potentially know if a customer has an account. This gives them one more piece of information to use against your customer.
  • Requiring unnecessary information – Security must be balanced with usability. Asking customers for a photo ID is a safe practice, but its overall effect on the customer experience is a negative one.

How Auth0 Makes Password Resets Frictionless

Developing password reset functionality from scratch requires significant resources. You’d need to develop:

  • A system for securely registering customers
  • A system for securely storing customer information
  • An intuitive UI for customers to access your reset function
  • A reset function
  • An email automation system to send your password resets

With Auth0 Lock, you can do everything listed above in a secure way. Because it is built on top of Auth0’s framework, everything is built for you. Auth0 Lock combines the easiest possible reset process with the highest standard for security. The reset process looks like this:

Diagram Password Recover

Customers who’ve forgotten their password simply click the “Forgot Password” button and are taken to this screen:

Screen Shot 2017-02-08 at 3.41.10 PM

Important: Navigate to Dashboard > Account Settings > Advanced to check if the Change Password flow v2 toggle is enabled. If it is, make sure to use Lock version 9 or later for this password reset flow.

After entering their email, the customer will then see this banner:


The banner is shown even if the email address is not registered to an account, meaning that attackers won’t be able to try different emails to see if a particular customer does or doesn’t have an account.

In their inbox, the customer will find this kind of email:

Screen Shot 2017-02-08 at 3.43.55 PM

This One Time Password link requires a single click, and ensures the password is not displayed in plaintext. Clicking the link brings the customer to this screen:


Sign up for free

Start building today and secure your apps with the Auth0 identity platform today.

3D login box