Purpose

The OOTB - Account Recovery - Subflow presents users who have forgotten their password with multiple means of recovering their account. Users provide their username and PingOne Protect performs a threat analysis. Users then select an alternate method of identification. The flow verifies that the username exists and has multi-factor authentication (MFA) enabled, then uses the selected method to reset the account password.

Structure

Diagram of the OOTB - Account Recovery - Subflow structure, as described below.

This flow is divided into sections using teleport nodes:

Forgot Password Form
Presents a custom HTML form on which users can enter the email address of their account. When the user clicks Submit, the flow progresses to the PingOne Protect Threat Detection Analysis section.
PingOne Protect Threat Detection Analysis

Invokes the OOTB - PingOne Protect Threat Detection - Subflow subflow.

If the OOTB - PingOne Protect Threat Detection - Subflow subflow completes successfully, the PingOne Protect values are saved as variables and a comparison node determines whether the device is a known device. If not, PingOne nodes find the user and send an email notification to the user.

A function node then examines the risk score.
  • If the risk score is low or medium, the flow progresses to the Send Recovery Code If Applicable section.
  • If the risk score is high, a PingOne node updates PingOne Protect with the failed evaluation and an error message is displayed.

If the OOTB - PingOne Protect Threat Detection - Subflow subflow does not complete successfully, any available PingOne Protect values are saved as variables. PingOne nodes find the user, send an email notification to the user informing them that their account is disabled, update the user's status, and update the user's risk notification. An error message is then displayed.

Send Recovery Code If Applicable
Uses a PingOne node to find a user with the specified email address. If the user is found, a second PingOne node sends a recovery code, and the flow progresses to the Recovery Code Form section. If the user is not found, an error message is displayed.
Recovery Code Form
Uses a flow instance variable to begin tracking the number of recovery attempts, then presents the user with an HTML page with multiple options. If the user submits a recovery code with a new password, the flow progresses to the Verify Password and Recovery Code section. If the user resends the recovery code, the flow progresses to the Resend Recovery Code section.
Verify Password and Recovery Code
Uses a comparison node to verify that the new password and the confirmed password match, displaying an error message if they do not. The number of recovery attempts is then incremented by one and compared to the maximum. If it does not exceed the maximum, the flow progresses to the Update Password and Show Success Message section.
Resend Recovery Code
Uses a PingOne node to send a new recovery code, then displays a success message to the user.
Update Password and Show Success Message
Uses a PingOne node to send the recovery code and new password to PingOne. If the recovery code is correct and the new password is valid, a success message is displayed and the flow progresses to the Return Success section. If the recovery code or new password is incorrect or invalid, an error message is displayed.
Return Success
Sends a success JSON response, indicating that the flow has completed successfully.
Return Error
Sends an error JSON response, indicating that the flow completed unsuccessfully.

Input schema

This flow has the following inputs.

Input Name Required? Description

ciam_companyLogo

No

The company logo.

Used only when the main flow was launched using the widget.

Output schema

This flow has the following outputs.

Output Name Description

ciam_pingOneUserId

The user ID of the current user.

ciam_subflowResult

The result status of the flow.

ciam_authMethod

The authentication method that was configured by the flow.

ciam_errorMessage

The error message to display in the parent flow.

Variables

This flow uses the following variables.

Variable Name Description

ciam_logoStyle

The HTML style to use for your company logo.

ciam_logoUrl

The URL for your company logo.

ciam_companyName

Displays the name of your company.

ciam_recoveryLimit

The maximum number of times a user can attempt to recover an account.

ciam_protectPredictor

The recommendation made by PingOne Protect.

ciam_protectDeviceStatus

The status of the user's device as determined by PingOne Protect.

ciam_protectRiskLevel

The risk level of the current user as determined by PingOne Protect.

ciam_protectRiskID

The risk ID of the current user as used by PingOne Protect.