Password reset in the Loginapp REST API / UI

The Loginapp REST password reset API allows end-users to reset their own passwords. The service is typically accessed by the end-user via a Forgot password? link on the login page. It is configured as a public self-service flow.

The API is publicly accessible. Special consideration regarding user enumeration and security, in general, is therefore essential.

Basic concepts and flow steps

Arbitrary steps may be configured in the public self-service flow. Therefore the password reset flow may be very individual and differ from the example given below.

  1. A typical password reset flow consists of the following phases:
  2. User identification (enter username).
  3. Identity verification (e-mail, SMS, or alike).
  4. Password reset actions:
    1. Set a new password.
    2. Order new letter.
    3. Unlock account - optionally combined with 2nd-factor approval step.
  • Most important password reset flow steps:
  • User Identification Step
  • Identity verification steps:
    • E-Mail Identity Verification Step
    • Send Email Link Step (in combination with the Flow Continuation Step)
    • SMS Identity Verification Step
    • Secret Questions Identity Verification Step
  • 2nd-factor steps for password reset approval:
    • Airlock 2AF Factor Step
    • Cronto Factor Step
    • mTAN Factor Step
  • Set Password Step
  • Password Letter Order Step
  • Unlock User Step (Password Reset)
  • Selection Step for Password Reset
  • E-Mail Notification Step