> Rather than allowing a user to set their own password, passwords can be issued in exactly the same way as API keys are now: a high-entropy password is randomly generated by the issuing website, and the user is shown the password once only and asked to record it. If the password is lost, a new password must be generated using the same process.
I don’t understand that logic. Normally, systems generate API keys and show them to a person _knowing_who_that_person_is_.
I, when I lose my password, the system can generate a new one for me even when I’m not logged in, how can it know it’s doing that for me and not for someone claiming to be me?
I don't understand your confusion. The generated high entropy password would be shown to you with the system knowing who you are too - because you just registered or reset your password.
I don’t understand that logic. Normally, systems generate API keys and show them to a person _knowing_who_that_person_is_.
I, when I lose my password, the system can generate a new one for me even when I’m not logged in, how can it know it’s doing that for me and not for someone claiming to be me?