Password reset in the Loginapp REST API / UI

The Loginapp REST password reset API allows end-users to reset their own passwords. The service is typically accessed by the end-user via a Forgot password? link on the login page. It is configured as a public self-service flow.

The API is publicly accessible. Special consideration regarding user enumeration and security, in general, is therefore essential.

Arbitrary steps may be configured in the public self-service flow. Therefore the password reset flow may be very individual and differ from the example given below.

0. A typical password reset flow consists of the following phases:
1. User identification (enter username).
2. Identity verification (e-mail, SMS, or alike).
3. Password reset actions:
1. Set a new password.
2. Order new letter.
3. Unlock account - optionally combined with 2nd-factor approval step.

• Most important password reset flow steps:
• User Identification Step
• Identity verification steps:
• E-Mail Identity Verification Step
• Send Email Link Step (in combination with the Flow Continuation Step)
• SMS Identity Verification Step
• Secret Questions Identity Verification Step
• 2nd-factor steps for password reset approval:
• Airlock 2AF Factor Step
• Cronto Factor Step
• mTAN Factor Step
• Set Password Step
• Password Letter Order Step
• Unlock User Step (Password Reset)
• Selection Step for Password Reset
• E-Mail Notification Step