Password reset email works for email verifying too?

Hi everyone,

I’ve noticed a behavior I wanted to clarify.

If a user signs up using email/password but does not verify their email, and later clicks “Forgot password”, Firebase sends them a password reset email as expected.

However, once the user completes the password reset process using that link, their emailVerified flag becomes true — even though they never clicked an actual email verification link (sendEmailVerification).


My questions:

  1. Is this intended behavior?

  2. Does Firebase treat a successful password reset as implicit email verification?

  3. Is it safe to rely on this behavior for access control?


Thanks in advance for the clarification!
– Nico