Problem statement
Does Auth0 have a use case on how to ask imported users for a password reset when the imported passwords are not hashed using a supported algorithm?
From the documentation, passwords need to be hashed using one of the supported algorithms when importing passwords. Users with passwords hashed by unsupported algorithms will need to reset their password when they log in for the first time after the bulk import. Refer to Bulk User Imports / Prerequisites for more details.
Solution
Consider Lazy Migration as a first option. Refer to Configure Automatic Migration from Your Database. Using this option, it is not necessary to reset passwords even if the external source database uses an unsupported hash algorithm.
If Lazy Migration is not an option,
(1) Send password change emails
- Pros: Leverage the API to send emails at once. It doesn’t need a complex implementation.
- Cons: Users can miss the emails. Emails can expire.
It is possible to embed a form where users can request a password reset before the first login. However, the implementation can be complex when implementing access control.
(2) Let users click the “Forgot password?” link on the first login
- Pros: The simplest option. Display a message like “Please reset your password from this link on the first login” on the login page.
- Cons: It creates some friction. Users have to read the message and click the link.
(3) Use Email Passwordless for the first login
Do the Account Linking with Username+Password connection. Then let the user reset the password so they can use the password next time
- Pros: It can be a smoother user experience.
- Cons: Extremely complex implementation.