Password reset for locked users

This article describes how a password reset flow may be enabled for locked end-users.

The IAM configuration defines whether locked users are allowed to start a password reset flow or not. In the configuration example below, locked users get a limited number of password reset attempts. The number of allowed attempts is configured in
Loginapp >> Public Self-Service Flows >> Max Failed Factor Attempts

To enable users with locked accounts and lock reason LockReason.TooManyAuthAtts.PASSWORD to use the password reset flow, the configuration settings below are required. Usually, the flow is configured such that the user account is unlocked in the case of a successful reset.

  • Go to:
    Loginapp >> Public Self-Service Flows >> a flow for password reset
  • In theĀ Default Password Reset Restrictions, the option Allow Locked User must be enabled.
  • In the flow, an Unlock User Step must be configured as the last step of the flow.

A user that successfully completes this flow will have the following changes applied to their account in case they were locked with lock reason LockReason.TooManyAuthAtts.PASSWORD:

  • The failed logins counter for authentication method PASSWORD is set to 0.
  • The account lock status is set to false (the account is not locked).
  • The failed factor counter of the verification method is set to 0.

Using different authentication method identifiers for passwords

The above setup describes how to allow password reset in case the authentication method identifier used for the password authentication step corresponding to the password to be reset is PASSWORD.

In advanced setups where a different authentication method identifier, e.g. OTHER_PASSWORD, is used in the corresponding password step, the password reset configuration must be adapted as follows:

  • Configure advanced password reset restrictions and set the Allowed Lock Reasons in the Locked User Restriction to LockReason.TooManyAuthAtts.OTHER_PASSWORD.
  • Change the Failed Attempts Counters to Reset in the Unlock User Step to OTHER_PASSWORD.

Defining any Failed Attempts Counters to Reset other than the one associated with the password being reset may allow brute force attacks on the associated authentication method.