[tytho]

Many applications need a way to contact a user (security breach, password reset). If one only has a username and forgets the password, there’s no way to reverify the user.

[megous]

There are many ways to re-verify the user if one forgets a password. Some may even be more secure than sending a e-mail. Simplest is a set of single-use reset codes that could be generated at signup or later on, like the ones to remove 2FA.

[charles_f]

You don't need to validate email for that.

[thedelanyo]

I think if you're not verifying emails, you'll also receive lots of bot signups.

[Hizonner]

> If one only has a username and forgets the password, there’s no way to reverify the user.

Tough beans?

[crazygringo]

A good user experience does its best to avoid tough beans. That's kind of UX 101.

[dspillett]

In the case of security procedures, I'd argue that there is some room for tough beans. Reducing security to cater for carelessness seems like a really bad compromise to me, one that I see far too often.

[tsimionescu]

This is an absurd position, and potentially illegal - for paid services.

You have a business relationship between the company and a person. Whether that person remembers the password or not is immaterial to whether they have the legal right to anything they purchased in the app.

[Hizonner]

Having your account taken over is also a bad user experience.

[dspillett]

> Many applications need a way to contact a user … password reset

At this point the password is pointless, you might as well just use the email address. Or perhaps a distinct username and email address, but then there would probably be a “forgot username” workflow making that as pointless as the separate password.