- A typical password reset self-service has the following steps:
- Enter Username: the enters the username or alias.
- User Verification: typically one of the following three actions is taken to verify the user identity:
- Email Verification: An email message containing an OTP or link is sent to the address stored in the user account.
- SMS Verification: an OTP code is sent to the mobile phone number linked stored in the user account. The user must enter the correct OTP code to proceed to the next step.
- Secret Questions: the user must be able to correctly answer a number of "secret questions". The answers must have been recorded by the user beforehand.
- Second Authentication Factor (optional): The second-factor token (Airlock 2FA) must be provided. This step is optional.
- Choose a new password: the user may choose a new password satisfying the password policy. Alternatively, a user might want to order a new password letter in this step.
The above flow is an example. Especially, the Loginapp REST API is flexible and allows for other flows.