A church admin asks us a tired question this week: can we please make the member portal stop generating password reset emails? The login flow is fine on paper, but every Sunday someone forgets their password, and by Monday morning the office has a stack of "I can't get into the directory" voicemails. The portal works. The passwords are the problem.
This is no longer a problem you have to live with. Passkeys — the passwordless login standard now built into every modern phone and laptop — are quietly becoming the default on serious websites in 2026. For a church member portal, they are arguably more useful than they are for a bank, because the people forgetting passwords are often the people least comfortable with technology to begin with.
What a Passkey Actually Is
A passkey is a cryptographic credential that lives on your device — phone, laptop, or hardware key — and proves who you are without sending a secret to the website. When you sign in, your device asks you to confirm with Face ID, Touch ID, Windows Hello, or a PIN. Behind the scenes, the device signs a one-time challenge from the server and that is the entire login.
There is nothing to remember and nothing to type. There is nothing the server can leak in a breach, because the server only ever stored a public key. There is nothing for a phishing site to capture, because the browser refuses to send the credential to the wrong domain.
For a member portal that holds directory information, giving history, and small group rosters, this is a meaningful security upgrade. For the 78-year-old usher who has been writing his password on a sticky note for four years, it is a small mercy.
Why This Matters for a Church Portal Specifically
The trust dynamic at a church is different from a typical app. People hand over their phone numbers, their family photos, their kids' allergies, their giving records, and they trust the church to keep all of it safe. The weakest link in that promise is almost always a reused password.
Passkeys do not need a reset flow that emails a link to an old AOL address. They do not need a complexity policy that someone will work around. They do not need a "security questions" feature that a determined attacker can guess from a Facebook profile. And they remove the most common volunteer support request a small church office handles in a given month.
There is also a practical kindness in not asking older members to memorize one more thing. The Face ID prompt that already unlocks their phone is the same prompt that now unlocks the church directory. Nothing new to learn.
What It Takes to Add Passkeys to a Member Portal
The technical lift is smaller than most churches expect. The WebAuthn standard is supported in every current browser, and libraries like SimpleWebAuthn handle the cryptographic details so the application code is straightforward.
The flow has two parts. Registration: a logged-in member taps "Add a passkey," the browser prompts for biometric confirmation, and the resulting public key is saved alongside their account. Login: the member taps "Sign in with a passkey," the browser shows the same prompt, and the server verifies the signed challenge.
// Server-side registration (simplified)
import { generateRegistrationOptions, verifyRegistrationResponse }
from '@simplewebauthn/server';
const options = await generateRegistrationOptions({
rpName: 'Grace Community Church',
rpID: 'members.gracecommunity.org',
userID: member.id,
userName: member.email,
authenticatorSelection: { residentKey: 'preferred' },
});
await saveChallenge(member.id, options.challenge);
return options;
The client uses the standard navigator.credentials.create() API, sends the response back, and the server verifies it against the saved challenge. The whole feature, end to end, is usually under 300 lines of code.
For ministries on hosted platforms — Subsplash, Tithely Sites, Church Co, Ministry Brands — passkey support is starting to ship as a built-in option. If yours has not added it yet, ask. The platforms move when their churches ask.
The Migration Strategy That Actually Works
The instinct is to flip a switch and force every member onto passkeys at once. Don't. Members in their twenties will roll their eyes; members in their seventies will call the office in a panic.
A gentler path works better. Leave passwords in place. Add passkeys as an option in the member's account settings, with a clear explanation: "Skip typing your password by using Face ID, Touch ID, or your fingerprint." Make it opt-in. Promote it once a quarter in the email newsletter. Track adoption quietly.
After a year, most digitally comfortable members will have moved over on their own. At that point, you can have a conversation about retiring passwords for new accounts and offering passkey-only signup. The members who never adopt can keep their password until they are ready, and the church staff has not generated a single support ticket from a forced migration.
A Word on Recovery
The honest weakness of passkeys is recovery. If a member loses both their phone and their laptop, they need a way to get back in. The cleanest pattern for a church portal is to let members register more than one passkey on more than one device, and to keep a verified email or phone number on file as a last-resort recovery channel.
This is no worse than the password world, and in practice considerably better, because most members will have synced their passkey through iCloud Keychain or Google Password Manager and a new device will pick it up automatically.
Quiet Hospitality
Most members will never notice the change beyond the moment they realize they have not typed a password in three months. That is the point. The portal becomes a thing that opens when they need it, without friction, without anxiety, and without the small Sunday-afternoon shame of having forgotten the password again.
Faithful stewardship of people's data does not have to feel like security theater. Sometimes it looks like quietly removing a thing that was never serving them in the first place.
If you are running a member portal and the password reset emails are wearing you down, we can help you map a passkey rollout that fits your congregation. The upgrade is smaller than it sounds and the relief is larger than you would expect.