CIAM-Passwordless-Protect-Account-Recovery-Subflow
The CIAM-Passwordless-Protect-Account-Recovery-Subflow lets users regain access to their account if they know their username and have at least one alternate method of identification configured for their account.
Purpose
The CIAM-Passwordless-Protect-Account-Recovery-Subflow presents users who have forgotten their password with multiple means of recovering their account. Users provide their username and PingOne Protect performs a threat analysis. Users then select an alternate method of identification. The flow verifies that the username exists and has multi-factor authentication (MFA) enabled, then uses the selected method to reset the account password.
Structure
This flow is divided into sections using teleport nodes:
- Forgot Password Form
-
Presents a custom HTML form on which users can enter the email address of their account. When the user clicks Submit, the flow progresses to the PingOne Protect Threat Detection Analysis section.
- PingOne Protect Threat Detection Analysis
-
Invokes the CIAM-Passwordless-Protect-Threat-Detection-Subflow subflow.
If the CIAM-Passwordless-Protect-Threat-Detection-Subflow subflow completes successfully, the PingOne Protect values are saved as variables and a comparison node determines whether the device is a known device. If not, PingOne nodes find the user and send an email notification to the user.
A function node then examines the risk score.
-
If the risk score is low or medium, the flow progresses to the Send Recovery Code If Applicable section.
-
If the risk score is high, a PingOne node updates PingOne Protect with the failed evaluation and an error message is displayed.
If the CIAM-Passwordless-Protect-Threat-Detection-Subflow subflow does not complete successfully, any available PingOne Protect values are saved as variables. PingOne nodes find the user, send an email notification to the user informing them that their account is disabled, update the user’s status, and update the user’s risk notification. An error message is then displayed.
- Send Recovery Code If Applicable
-
Uses a PingOne node to find a user with the specified email address. If the user is found, a second PingOne node sends a recovery code, and the flow progresses to the Recovery Code Form section. If the user is not found, an error message is displayed.
- Recovery Code Form
-
Uses a flow instance variable to begin tracking the number of recovery attempts, then presents the user with an HTML page with multiple options. If the user submits a recovery code with a new password, the flow progresses to the Verify Password and Recovery Code section. If the user resends the recovery code, the flow progresses to the Resend Recovery Code section.
- Verify Password and Recovery Code
-
Uses a comparison node to verify that the new password and the confirmed password match, displaying an error message if they do not. The number of recovery attempts is then incremented by one and compared to the maximum. If it does not exceed the maximum, the flow progresses to the Update Password and Show Success Message section.
- Resend Recovery Code
-
Uses a PingOne node to send a new recovery code, then displays a success message to the user.
- Update Password and Show Success Message
-
Uses a PingOne node to send the recovery code and new password to PingOne. If the recovery code is correct and the new password is valid, a success message is displayed and the flow progresses to the Return Success section. If the recovery code or new password is incorrect or invalid, an error message is displayed.
- Return Success
-
Sends a success JSON response, indicating that the flow has completed successfully.
- Return Error
-
Sends an error JSON response, indicating that the flow completed unsuccessfully.
Input schema
This flow has the following inputs.
Input Name | Required? | Description |
---|---|---|
|
No |
The company logo. Used only when the main flow was launched using the widget. |
Output schema
This flow has the following outputs.
Output Name | Description |
---|---|
|
The user ID of the current user. |
|
The result status of the flow. |
|
The authentication method that was configured by the flow. |
|
The error message to display in the parent flow. |
Variables
This flow uses the following variables.
Variable Name | Description |
---|---|
|
The HTML style to use for your company logo. |
|
The URL for your company logo. |
|
Displays the name of your company. |
|
The maximum number of times a user can attempt to recover an account. |
|
The recommendation made by PingOne Protect. |
|
The status of the user’s device as determined by PingOne Protect. |
|
The risk level of the current user as determined by PingOne Protect. |
|
The risk ID of the current user as used by PingOne Protect. |