We rolled out a new password reset workflow yesterday.
Why did we spend time on this?
- Sending passwords via email on reset and requiring security Q+A, ... these were normal for 2007 when we started this, but UX and opsec best practices has evolved.
- Users had been having trouble w/ the existing workflow, which meant user pain and our time to service - more time on support means less time on developing.
What was the approach?
Find a best practice to copy from the wild: Slack.
- We looked for the best experience and that was slack, so we copied 90% of what we saw.
- Magic links are not yet rolled out but are a stones throw if we so desire in the future.
- One difference between us and slack is that some of our usernames are not emails, so we had to account for that.
- No longer are secret question and answer requested on register, nor managed on account page.
- In helping users w/ password issues, users can now head to the forgot page and self serve.
- Link is only valid for 24 hours.
- Users will get an email on password reset.
Now back to regularly scheduled development.