Password reset flow example

0. A typical password reset self-service has the following steps:
1. Enter Username: the enters the username or alias.
2. User Verification: typically one of the following three actions is taken to verify the user identity:
1. Email Verification: An email message containing an OTP or link is sent to the address stored in the user account.
2. SMS Verification: an OTP code is sent to the mobile phone number linked stored in the user account. The user must enter the correct OTP code to proceed to the next step.
3. Secret Questions: the user must be able to correctly answer a number of "secret questions". The answers must have been recorded by the user beforehand.
3. Second Authentication Factor (optional): The second-factor token (Airlock 2FA) must be provided. This step is optional.
4. Choose a new password: the user may choose a new password satisfying the password policy. Alternatively, a user might want to order a new password letter in this step.

The above flow is an example. Especially, the Loginapp REST API is flexible and allows for other flows.

Since the username is involved in this service, an attacker might learn about valid user names through this self-service (user enumeration).

To prevent this, Airlock IAM provides a mode in which the self-service is simulated for non-existing usernames such that a potential attacker cannot distinguish a real username from a non-existing one. The mode can be enabled or disabled in the configuration.