CIAM-Passwordless-Protect-Account-Recovery-Subflow

The CIAM-Passwordless-Protect-Account-Recovery-Subflow lets users regain access to their account if they know their username and have at least one alternate method of identification configured for their account.

Purpose

The CIAM-Passwordless-Protect-Account-Recovery-Subflow presents users who have forgotten their password with multiple means of recovering their account. Users provide their username and PingOne Protect performs a threat analysis. Users then select an alternate method of identification. The flow verifies that the username exists and has multi-factor authentication (MFA) enabled, then uses the selected method to reset the account password.

Structure

This flow is divided into sections using teleport nodes:

Forgot Password Form: Presents a custom HTML form on which users can enter the email address of their account. When the user clicks Submit, the flow progresses to the PingOne Protect Threat Detection Analysis section.
PingOne Protect Threat Detection Analysis: Invokes the CIAM-Passwordless-Protect-Threat-Detection-Subflow subflow.

If the CIAM-Passwordless-Protect-Threat-Detection-Subflow subflow completes successfully, the PingOne Protect values are saved as variables and a comparison node determines whether the device is a known device. If not, PingOne nodes find the user and send an email notification to the user.

A function node then examines the risk score.

If the risk score is low or medium, the flow progresses to the Send Recovery Code If Applicable section.
If the risk score is high, a PingOne node updates PingOne Protect with the failed evaluation and an error message is displayed.

If the CIAM-Passwordless-Protect-Threat-Detection-Subflow subflow does not complete successfully, any available PingOne Protect values are saved as variables. PingOne nodes find the user, send an email notification to the user informing them that their account is disabled, update the user’s status, and update the user’s risk notification. An error message is then displayed.

Send Recovery Code If Applicable: Uses a PingOne node to find a user with the specified email address. If the user is found, a second PingOne node sends a recovery code, and the flow progresses to the Recovery Code Form section. If the user is not found, an error message is displayed.
Recovery Code Form: Uses a flow instance variable to begin tracking the number of recovery attempts, then presents the user with an HTML page with multiple options. If the user submits a recovery code with a new password, the flow progresses to the Verify Password and Recovery Code section. If the user resends the recovery code, the flow progresses to the Resend Recovery Code section.
Verify Password and Recovery Code: Uses a comparison node to verify that the new password and the confirmed password match, displaying an error message if they do not. The number of recovery attempts is then incremented by one and compared to the maximum. If it does not exceed the maximum, the flow progresses to the Update Password and Show Success Message section.
Resend Recovery Code: Uses a PingOne node to send a new recovery code, then displays a success message to the user.
Update Password and Show Success Message: Uses a PingOne node to send the recovery code and new password to PingOne. If the recovery code is correct and the new password is valid, a success message is displayed and the flow progresses to the Return Success section. If the recovery code or new password is incorrect or invalid, an error message is displayed.
Return Success: Sends a success JSON response, indicating that the flow has completed successfully.
Return Error: Sends an error JSON response, indicating that the flow completed unsuccessfully.

Input schema

This flow has the following inputs.

Input Name Required? Description

Input Name	Required?	Description
`ciam_companyLogo`	No	The company logo. Used only when the main flow was launched using the widget.

ciam_companyLogo

The company logo.

Used only when the main flow was launched using the widget.

Output schema

This flow has the following outputs.

Output Name Description

Output Name	Description
`ciam_pingOneUserId`	The user ID of the current user.
`ciam_subflowResult`	The result status of the flow.
`ciam_authMethod`	The authentication method that was configured by the flow.
`ciam_errorMessage`	The error message to display in the parent flow.

ciam_pingOneUserId

The user ID of the current user.

ciam_subflowResult

The result status of the flow.

ciam_authMethod

The authentication method that was configured by the flow.

ciam_errorMessage

The error message to display in the parent flow.

Variables

This flow uses the following variables.

Variable Name Description

Variable Name	Description
`ciam_logoStyle`	The HTML style to use for your company logo.
`ciam_logoUrl`	The URL for your company logo.
`ciam_companyName`	Displays the name of your company.
`ciam_recoveryLimit`	The maximum number of times a user can attempt to recover an account.
`ciam_protectPredictor`	The recommendation made by PingOne Protect.
`ciam_protectDeviceStatus`	The status of the user’s device as determined by PingOne Protect.
`ciam_protectRiskLevel`	The risk level of the current user as determined by PingOne Protect.
`ciam_protectRiskID`	The risk ID of the current user as used by PingOne Protect.

ciam_logoStyle

The HTML style to use for your company logo.

ciam_logoUrl

The URL for your company logo.

ciam_companyName

Displays the name of your company.

ciam_recoveryLimit

The maximum number of times a user can attempt to recover an account.

ciam_protectPredictor

The recommendation made by PingOne Protect.

ciam_protectDeviceStatus

The status of the user’s device as determined by PingOne Protect.

ciam_protectRiskLevel

The risk level of the current user as determined by PingOne Protect.

ciam_protectRiskID

The risk ID of the current user as used by PingOne Protect.

PingOne for Customers Passwordless