Any application aimed at presenting users with a premium, seamless UX must take account of the times when user authentication fails. What happens when a user forgets their password? What can we do to confirm sensitive operations using email or other out-of-band communication? How can we make an application easy to use while also keeping it secure? One mechanism, which protects both password reset links and other secure actions taken by way of an out-of-band confirmation is that of secure tokens.