Reset flow example
10.2.1.4.1. Password reset flow example
  • A typical password reset self-service has the following steps:
  • 1.
    Enter Username: the enters the username or alias.
  • 2.
    User Verification: typically one of the following three actions is taken to verify the user identity:
    • 1.
      Email Verification: An email message containing an OTP or link is sent to the address stored in the user account.
    • 2.
      SMS Verification: an OTP code is sent to the mobile phone number linked stored in the user account. The user must enter the correct OTP code to proceed to the next step.
    • 3.
      Secret Questions: the user must be able to correctly answer a number of "secret questions". The answers must have been recorded by the user beforehand.
  • 3.
    Second Authentication Factor (optional): The second-factor token (Airlock 2FA) must be provided. This step is optional.
  • 4.
    Choose a new password: the user may choose a new password satisfying the password policy. Alternatively, a user might want to order a new password letter in this step.

The above flow is an example. Especially, the Loginapp REST API is flexible and allows for other flows.

User enumeration protection (stealth mode):

Since the username is involved in this service, an attacker might learn about valid user names through this self-service (user enumeration).

To prevent this, Airlock IAM provides a mode in which the self-service is simulated for non-existing usernames such that a potential attacker cannot distinguish a real username from a non-existing one. The mode can be enabled or disabled in the configuration.