CIAM Plus With Protect - Account Recovery - Email - Subflow

The CIAM Plus With Protect - Account Recovery - Email - Subflow lets users recover a lost account using an email address.

Purpose

The CIAM Plus With Protect - Account Recovery - Email - Subflow presents users who have forgotten their password with the ability to reset it using their email address. Users provide and verify their email address. The flow provides a form for the user to enter a new password, then verifies and saves the new password.

Structure

This flow is divided into sections using teleport nodes:

Forgot Password Form

Presents a custom HTML form on which users can enter the email address of their account. When the user clicks Submit, the flow progresses to the Do Protect Analysis & Send Recovery Code If Applicable section.

Do Protect Analysis & Send Recovery Code If Applicable

The flow progresses to the Threat Detection And Mitigation section. When this section completes, the flow uses a PingOne node to find a user with the specified email address. If the user is found, is active, and currently has a password, a PingOne node sends a recovery code and the flow progresses to the Recovery Code Form section.

Recovery Code Form

Uses a flow instance variable to begin tracking the number of recovery attempts, then presents the user with an HTML page to the recovery code and enter and confirm a new password;

If the user clicks Submit, the flow progresses to the Verify Password section.
If the user clicks Cancel, the flow progresses to the Forgot Password Form section.
If the user clicks Resend, the flow progresses to the Resend Recovery Code section.

Verify Password And Recovery Code

Uses function nodes to verify that the new password and the confirmed password match and to validate the new password, displaying an error message if either condition is not met. The flow progresses to the Update Password and Show Success Message section.

Update Password And Show Success Message

The number of recovery attempts is incremented by one and compared to the maximum. If it does not exceed the maximum, PingOne nodes save the new password and send a password change email to the user. The flow then progresses to the Return Success section. If the recovery code or new password is incorrect or invalid, function nodes prepare the error details, then an error message is displayed.

Resend Recovery Code

The number of resend attempts is incremented by one and compared to the maximum. If it does not exceed the maximum, a PingOne node sends a new recovery code. A confirmation message is then displayed.

Threat Detection And Mitigation

Uses a PingOne node to look up the user, then invokes the CIAM Plus With Protect - Threat Detection - Subflow.

If the CIAM Plus With Protect - Threat Detection - Subflow completes successfully, a function node stores the risk evaluation as a variable, then a second function node branches the flow based on the risk level:

If the risk level is low or medium, the flow returns to the previous section.
If the risk level is high, function nodes check if the PingOne user ID is empty or if the high risk was the result of a new device. If neither condition is true, PingOne node notifies the user of the suspicious activity. Regardless of conditions, an error message is then displayed.

If the CIAM Plus With Protect - Threat Detection - Subflow completes unsuccessfully, an error message is displayed.

Return Success

Sends a success JSON response, indicating that the flow completed successfully.

Return Error

Sends an error JSON response, indicating that the flow completed unsuccessfully.

Input schema

This flow has the following inputs:

Input Name Required? Description

Input Name	Required?	Description
`companyLogo`	No	The company logo. Used only when the main flow was launched using the widget.
`protectriskPolicyId`	No	The ID of the PingOne Protect risk policy to use in the flow.
`username`	No	The username of the account being recovered.
`resendOtpLimit`	Yes	The maximum number of times a user can resend a one-time passcode (OTP).
`recoveryLimit`	Yes	The maximum number of times a user can attempt to recover an account.

companyLogo

The company logo.

Used only when the main flow was launched using the widget.

protectriskPolicyId

The ID of the PingOne Protect risk policy to use in the flow.

username

The username of the account being recovered.

resendOtpLimit

Yes

The maximum number of times a user can resend a one-time passcode (OTP).

recoveryLimit

Yes

The maximum number of times a user can attempt to recover an account.

Output schema

This flow has the following outputs:

Output Name Description

Output Name	Description
`p1UserId`	The user ID of the current user.
`subflowResult`	The result status of the flow.
`authMethod`	The authentication method that was configured by the flow.
`errorMessage`	The error message to display in the parent flow.
`errorDetails`	The details of the error that occurred in this flow.

p1UserId

The user ID of the current user.

subflowResult

The result status of the flow.

authMethod

The authentication method that was configured by the flow.

errorMessage

The error message to display in the parent flow.

errorDetails

The details of the error that occurred in this flow.

Variables

This flow uses the following variables:

Variable Name Description

Variable Name	Description
`resendOtpAttempts`	The number of times the user has resent an OTP.
`recoveryValidationAttempts`	The number of times the user has attempted account validation.
`protectRiskEvalId`	The risk ID of the current user returned by PingOne Protect.

resendOtpAttempts

The number of times the user has resent an OTP.

recoveryValidationAttempts

The number of times the user has attempted account validation.

protectRiskEvalId

The risk ID of the current user returned by PingOne Protect.

PingOne for Customers Plus