Complex password reset flow example





Airlock IAM

  • Airlock IAM 8.0 or newer.
  • An Airlock 2FA subscription is required.

If no Airlock 2FA subscription is available, a similar example can be set up using mTAN instead of Airlock 2FA.

Intended solution environment

This example shows how to configure and use the Loginapp password reset REST API for a more complex password reset flow.

  • This example meets the following requirements:
  • User identification is verified using an email address.
  • The user may choose to order a new password letter or to reset the password.
  • To reset the password, the reset operation must be approved using Airlock 2FA.


  • Understand how the password reset feature works in general.
  • Understand how to use selection within the password reset flow.
  • Understand how to use a 2nd factor to approve the password reset operation.
  • Be able to configure and try out a more complex password reset flow.

All following procedures are exemplary and will vary according to your setup or needs.


  • The user account used in the example exists in the IAM database.
  • The Loginapp REST API is configured.
  • The user is able to approve a transaction or operation using Airlock 2FA. The user has a corresponding smartphone app or a suitable hardware token.

Configuration and REST calls

The flow is configured as a public self-service flow:
Loginapp >> Public Self-Service Flows >> a flow implementing password reset.

The flow steps configured for this example and a high-level view of the REST calls is shown in the diagram below.






Provide the name of the user for which the password reset flow should be executed.

This step is required to start the flow and to select the user.

By default, this step will complete with 200 OK, even if the user cannot be found, the account is locked or invalid. This is done to provide protection against user enumeration attacks.

To change this, adapt the configuration of the Default Password Reset Restrictions plugin or define your own password restriction settings using the plugin Custom Public Self-Service Restrictions.


Send an OTP to the end user's email address and verify OTP entered by the end user.


Select a subflow (the end-user typically chooses the subflow).

The REST client may obtain the available selection options and then select one of the options.


Order a new password letter.

This option is not selected in the sample REST call sequence.


Approve password reset operation using Airlock 2FA.

To further secure the password reset operation, the operation has to be approved using the Airlock 2FA authentication factor (push or Offline QR-Code).


Set the new password.

This step persists the new password if it passes the password policy.