---
title: CIAM-Passwordless-Protect-Account-Recovery-Subflow
description: The CIAM-Passwordless-Protect-Account-Recovery-Subflow lets users regain access to their account if they know their username and have at least one alternate method of identification configured for their account.
component: pingone-solutions
page_id: pingone-solutions:pingone-customers-passwordless:flow_reference/ciam_passwordless_ciam_account_recovery
canonical_url: https://docs.pingidentity.com/pingone-solutions/pingone-customers-passwordless/flow_reference/ciam_passwordless_ciam_account_recovery.html
revdate: July 22, 2024
section_ids:
  purpose: Purpose
  structure: Structure
  input-schema: Input schema
  output-schema: Output schema
  variables: Variables
---

# CIAM-Passwordless-Protect-Account-Recovery-Subflow

The CIAM-Passwordless-Protect-Account-Recovery-Subflow lets users regain access to their account if they know their username and have at least one alternate method of identification configured for their account.

## Purpose

The **CIAM-Passwordless-Protect-Account-Recovery-Subflow** presents users who have forgotten their password with multiple means of recovering their account. Users provide their username and PingOne Protect performs a threat analysis. Users then select an alternate method of identification. The flow verifies that the username exists and has multi-factor authentication (MFA) *(tooltip: \<div class="paragraph">
\<p>An electronic authentication method where a user is granted access only after presenting two or more verification factors for authentication.\</p>
\</div>)* enabled, then uses the selected method to reset the account password.

## Structure

![Diagram of the structure, as described below.](../_images/ylg1705438890857.png)

This flow is divided into sections using teleport nodes:

* **Forgot Password Form**

  Presents a custom HTML form on which users can enter the email address of their account. When the user clicks **Submit**, the flow progresses to the **PingOne Protect Threat Detection Analysis** section.

* PingOne Protect Threat Detection Analysis

  Invokes the **CIAM-Passwordless-Protect-Threat-Detection-Subflow** subflow.

  If the **CIAM-Passwordless-Protect-Threat-Detection-Subflow** subflow completes successfully, the PingOne Protect values are saved as variables and a comparison node determines whether the device is a known device. If not, PingOne nodes find the user and send an email notification to the user.

  A function node then examines the risk score.

  * If the risk score is low or medium, the flow progresses to the **Send Recovery Code If Applicable** section.

  * If the risk score is high, a PingOne node updates PingOne Protect with the failed evaluation and an error message is displayed.

  If the **CIAM-Passwordless-Protect-Threat-Detection-Subflow** subflow does not complete successfully, any available PingOne Protect values are saved as variables. PingOne nodes find the user, send an email notification to the user informing them that their account is disabled, update the user's status, and update the user's risk notification. An error message is then displayed.

* **Send Recovery Code If Applicable**

  Uses a PingOne node to find a user with the specified email address. If the user is found, a second PingOne node sends a recovery code, and the flow progresses to the **Recovery Code Form** section. If the user is not found, an error message is displayed.

* **Recovery Code Form**

  Uses a flow instance variable to begin tracking the number of recovery attempts, then presents the user with an HTML page with multiple options. If the user submits a recovery code with a new password, the flow progresses to the **Verify Password and Recovery Code** section. If the user resends the recovery code, the flow progresses to the **Resend Recovery Code** section.

* **Verify Password and Recovery Code**

  Uses a comparison node to verify that the new password and the confirmed password match, displaying an error message if they do not. The number of recovery attempts is then incremented by one and compared to the maximum. If it does not exceed the maximum, the flow progresses to the **Update Password and Show Success Message** section.

* **Resend Recovery Code**

  Uses a PingOne node to send a new recovery code, then displays a success message to the user.

* **Update Password and Show Success Message**

  Uses a PingOne node to send the recovery code and new password to PingOne. If the recovery code is correct and the new password is valid, a success message is displayed and the flow progresses to the **Return Success** section. If the recovery code or new password is incorrect or invalid, an error message is displayed.

* **Return Success**

  Sends a success JSON response, indicating that the flow has completed successfully.

* **Return Error**

  Sends an error JSON response, indicating that the flow completed unsuccessfully.

## Input schema

This flow has the following inputs.

| Input Name          | Required? | Description                                                                  |
| ------------------- | --------- | ---------------------------------------------------------------------------- |
| `ciam_companyLogo`  | No        | The company logo.Used only when the main flow was launched using the widget. |
| `ciam_riskPolicyID` | None      | The PingOne Protect policy ID.                                               |

## Output schema

This flow has the following outputs.

| Output Name          | Description                                                |
| -------------------- | ---------------------------------------------------------- |
| `ciam_pingOneUserId` | The user ID of the current user.                           |
| `ciam_subflowResult` | The result status of the flow.                             |
| `ciam_authMethod`    | The authentication method that was configured by the flow. |
| `ciam_errorMessage`  | The error message to display in the parent flow.           |

## Variables

This flow uses the following variables.

| Variable Name              | Description                                                           |
| -------------------------- | --------------------------------------------------------------------- |
| `ciam_logoStyle`           | The HTML style to use for your company logo.                          |
| `ciam_logoUrl`             | The URL for your company logo.                                        |
| `ciam_companyName`         | Displays the name of your company.                                    |
| `ciam_recoveryLimit`       | The maximum number of times a user can attempt to recover an account. |
| `ciam_riskPolicyID`        | The PingOne Protect policy ID.                                        |
| `ciam_protectPredictor`    | The recommendation made by PingOne Protect.                           |
| `ciam_protectDeviceStatus` | The status of the user's device as determined by PingOne Protect.     |
| `ciam_protectRiskLevel`    | The risk level of the current user as determined by PingOne Protect.  |
| `ciam_protectRiskID`       | The risk ID of the current user as used by PingOne Protect.           |