Account recovery flows
Account recovery allows registered users to regain access to their account in case they forget their password or lose access to any other authentication method they have set up for multi-factor or passwordless authentication with Identity Cloud.
Identity Cloud supports the following account recovery flows:
Each flow provides multiple options for users to get back into their accounts, but is different in setup and usability.
Flow dependencies
Users can recover their account using a number of authentication methods besides a password. This influences the overall account recovery flow.
The account recovery flow depends on the following two factors:
- The authentication options applied by the administrator in the Management console define the authentication methods the user can set up for their account.
- The authentication methods the user sets up during signup define the options they have to get back into their account.
Example case
The administrator sets Single-factor authentication in the Management console. In this case, users have to present a registered username (email) and password to log in. Once set up, this authentication method is always active for the users. The users can get back into their accounts by requesting a password reset code to be sent to their registered email address.
If the administrator also enables the use of Social login options under Single-factor authentication in the Management console, the way the user can get back into their account depends on which authentication method they set up for their account: email and password, social login, or both.
Account recovery flows
The password reset flow is available with single-factor authentication and multi-factor authentication only. The password authentication method is always active and cannot be disabled for these two authentication types.
The passwordless authentication offers another solution using email codes for account recovery.
Flow with password
To reset the password, the user clicks on Forgot password on the login page. An email with a code is sent to the email address that the user registered to their account. After entering the code received on the Email verification page, the user is prompted to set a new password.
After a successful password reset, the user is automatically logged in to Identity Cloud.
In the case of an administrator-initiated password reset after a successful password reset, the user is redirected to the default return URL of your application.
In the case of multi-factor authentication, after a successful password reset, the user is required to provide further verification to access their account.
Flow without password
The passwordless recovery flow is available with passwordless signup only. It relies on the local passkey, pin, and biometric capabilities of the user device, and provides passwordless fallback verification flows such as email code authentication.
To recover a passwordless account, the user can verify their identity with:
- The local passkey capabilities of their device.
- The access app.
- By requesting a verification code to their registered email address.
After successful verification, the user is logged in.