Seems like on most web site that has user account, email address is used as login id. For user account password reset, email server is trusted to be the delivery of reset notice. So email server is trusted, in somewhere. Is it then possible to enhance email server for the role of user authentication? So for my web app, there is no storage of password. When user login, the email/password credential is passed to the email server to verify. Not sure if this question makes sense.