Support AI Skill

Automated Password Reset

Fully automate password reset and account recovery without agent involvement including multi-factor authentication, identity verification, account lockout handling, suspicious activity detection, and security audit logging. Use when setting up self-service...

Automated Password Reset & Account Recovery

Fully automate password reset and account recovery processes, eliminating agent involvement while maintaining security through multi-factor verification and suspicious activity detection.

Workflow

1. Password Reset Flow

Standard password reset process:

Customer clicks "Forgot Password" on login page
System sends verification email to account email
Customer clicks time-limited link (valid for 15 minutes)
Customer enters new password (with strength requirements)
System validates: complexity, not reused (last 6 passwords), not in breach database
Password updated, all sessions revoked, confirmation email sent
Audit log entry created (timestamp, IP address, user agent)
Total time: <2 minutes

Alternative verification methods:

Email verification (primary)
SMS code (secondary, if phone on file)
Authenticator app (if MFA already configured)
Security questions (fallback, 3 of 5 correct)
Identity document verification (for high-security accounts, rare)

Password requirements enforcement:

Minimum 12 characters
Must include: uppercase, lowercase, number, special character
Cannot match last 6 passwords
Cannot contain username, company name, or common patterns
Checked against known breached passwords (HaveIBeenPwned API)
Real-time strength indicator during entry

2. Account Lockout and Recovery

Lockout prevention and handling:

Progressive delay: After 5 failed attempts, 1-minute delay; after 10, 5-minute delay; after 15, 30-minute lockout
No lockout for password reset flow (prevents denial-of-service)
CAPTCHA after 3 failed attempts (prevents automated attacks)
Account notification: Email sent when lockout occurs
Self-unlock: Wait period or password reset to unlock

Identity verification for locked accounts:

Customer requests unlock → system sends multi-factor verification
Verification options based on available contact methods
If no contact methods available → customer support escalation (rare)
After verification: Account unlocked, password reset required

3. Security and Monitoring

Suspicious activity detection:

Multiple password resets from different IPs in short period
Password reset from new device/location
Reset requests from known malicious IP ranges
Bulk reset attempts (potential credential stuffing)
Auto-escalation: Flag for security review, require additional verification

Audit logging:

Every password reset attempt logged (success/failure)
IP address, user agent, geolocation recorded
Verification method used
Time stamps for all events
Logs retained for 12 months (compliance requirement)

Templates & Frameworks

Password Reset Analytics Dashboard

PASSWORD RESET & ACCOUNT RECOVERY DASHBOARD — January 2026
===========================================================

VOLUME METRICS:
  Password resets completed: 1,234 this month (↑ 8% from December)
  Account lockouts: 234 this month (↓ 12% from December) ✓
  MFA recovery requests: 89 this month
  Agent-assisted recoveries: 12 (1.0% of total — self-service rate: 99.0%) ✓
  
  Self-service success rate: 96.8% (no agent needed)
  Average completion time: 1.8 minutes
  Abandonment rate: 5.2% (customer didn't complete reset)

RESET BY TRIGGER:
  Trigger                          | Count   | % of Total | Avg Time
  ----------------------------------|---------|------------|----------
  "Forgot Password" on login       | 834     | 67.6%      | 1.5 min
  Account lockout (too many tries) | 234     | 19.0%      | 2.3 min
  Security alert (suspicious login)| 89      | 7.2%       | 2.1 min
  Customer support request         | 45      | 3.7%       | 3.4 min
  MFA recovery                     | 32      | 2.6%       | 2.8 min
  
  Total: 1,234

VERIFICATION METHOD USAGE:
  Method                      | Usage   | Success Rate | Avg Time
  ----------------------------|---------|--------------|----------
  Email verification link     | 912     | 98.7%        | 1.2 min
  SMS code                    | 189     | 97.4%        | 1.4 min
  Authenticator app           | 89      | 99.1%        | 1.1 min
  Security questions          | 23      | 78.3%        | 3.2 min
  Agent-assisted              | 12      | 100%         | 12.4 min

SECURITY METRICS:
  Suspicious activity detected: 45 this month
    Credential stuffing attempts: 23 (blocked)
    Password reset abuse: 12 (flagged)
    Phishing-related resets: 6 (investigated — all false)
    Other suspicious: 4 (under review)
    
  Breach database matches: 89 passwords rejected (would have been compromised)
  Password reuse attempts: 67 blocked (within last 6 passwords)
  Weak password attempts: 234 rejected (didn't meet requirements)
  
  SECURITY INCIDENT RATE: 0.01% of all resets (extremely low) ✓

PASSWORD STRENGTH TREND:
  Average password score: 7.8/10 (↑ 0.3 from December) ✓
  Distribution:
    Excellent (9-10): 34% (↑ 5%)
    Good (7-8): 42% (↑ 3%)
    Acceptable (5-6): 18% (↓ 5%)
    Weak (<5): 6% (↓ 3%) ✓

ACCOUNT LOCKOUT ANALYSIS:
  Total lockouts: 234
  Average failed attempts before lockout: 12.3
  Average lockout duration: 28 minutes
  Self-unlock rate: 94.0% (customers unlocked themselves)
  Agent-assisted unlock: 14 (6.0%)
  
  Lockout root causes:
    Typo in password: 89 (38.0%)
    Forgotten password: 78 (33.3%)
    Caps lock on: 34 (14.5%)
    Account sharing/multiple users: 18 (7.7%)
    Suspicious activity (potential breach): 15 (6.4%)

COMPLIANCE & AUDIT:
  Audit log completeness: 100% ✓
  Log retention: 12 months (meets compliance requirement) ✓
  PII in logs: None (IP addresses hashed) ✓
  GDPR-compliant reset flow: Yes ✓
  SOC 2 audit status: Passed (last audit: Nov 2025)

AGENT SUPPORT IMPACT:
  Tickets deflected by self-service: 1,222
  Average cost per agent-assisted ticket: $14.50
  Cost savings from self-service: $17,719 this month
  Agent-assisted recovery tickets: 12 (1.0%)
  Reasons for agent assistance:
    No contact method available: 5
    Email not received (inbox issue): 4
    MFA device lost: 2
    Account takeover suspected: 1

Account Recovery Decision Tree

ACCOUNT RECOVERY DECISION TREE
===============================

CUSTOMER CAN'T ACCESS ACCOUNT → Determine scenario:

SCENARIO A: Forgot Password (Most Common — 68%)
  1. Click "Forgot Password" on login page
  2. Enter account email
  3. Receive verification link (check spam folder)
  4. Click link → set new password
  5. Log in with new password
  Resolution: Self-service, no agent needed
  
SCENARIO B: Account Locked (19%)
  1. Wait for lockout period to expire (shown on screen)
  2. Try password again (use password reset if forgotten)
  3. If still locked after 3 attempts → use password reset flow
  Resolution: Self-service, no agent needed
  
SCENARIO C: Email Not Received (7%)
  1. Check spam/junk folder
  2. Wait 2 minutes (email delivery delay)
  3. Click "Resend" on reset page
  4. If still not received → check email address correct
  5. If email is wrong → use "Update email" flow
  Resolution: Self-service in 80%, agent needed for 20%
  
SCENARIO D: MFA Device Lost (3%)
  1. Click "Can't access your device?" on MFA screen
  2. Verify identity via backup method (email/SMS)
  3. Set up new MFA device
  4. If no backup method → agent assistance required
  Resolution: Self-service in 70%, agent needed for 30%
  
SCENARIO E: Suspected Account Takeover (3%)
  1. Click "Someone else is using my account"
  2. System locks account immediately
  3. Security team investigates
  4. Customer identity verified via phone call
  5. Account recovered, password reset, MFA reconfigured
  Resolution: Agent/security team required
  
SCENARIO F: No Contact Method Available (Rare — <1%)
  1. Contact support with account information
  2. Provide: Company name, account email, approximate signup date
  3. Answer security questions
  4. Agent verifies identity via alternative method
  5. Account recovered
  Resolution: Agent required

Integration Points

Identity management (Auth0, Okta, Azure AD): Authentication, MFA, password policies
Email/SMS (SendGrid, Twilio): Verification code delivery
Security databases (HaveIBeenPwned, CyberChef): Breached password detection
Help desk (Zendesk, Intercom): Escalation for failed self-service
SIEM (Splunk, Datadog Security): Suspicious activity monitoring
Audit systems (internal logging): Compliance audit trails
Customer database: Account data, contact methods, security settings

Edge Cases

Customer email changed and old email inaccessible: Customer updated email, forgot password, can't receive reset on old email:
Prevention: Require email verification before email change completes
Recovery: Security questions + ID verification via support
Alternative: Phone verification if number on file
Policy: New email change requires password confirmation (prevents unauthorized changes)
Customer education: "Keep your recovery email up to date"
Customer organization requires SSO but individual password reset needed: Enterprise customer with SSO needs password reset for non-SSO access:
SSO bypass: "Reset non-SSO password" separate flow
Admin override: Company admin can force password reset from SSO admin
Fallback: Email-based reset for emergency access
Documentation: Clear distinction between SSO and local password
Password reset link phished: Customer received legitimate reset link but was tricked into clicking on attacker's device:
Link expiration: 15-minute validity window
IP/device change detection: Reset from unusual location requires additional verification
Post-reset notification: "Your password was changed on [device] from [location]"
Customer alert: If customer reports phishing, immediately lock account and revoke sessions
Education: "Never share verification codes or click links from unexpected emails"
High-volume reset attempts (credential stuffing): 500+ password reset requests from same IP range in 1 hour:
Rate limiting: Max 5 reset requests per IP per hour
CAPTCHA: Triggered after 3rd attempt per IP
IP blocking: Known malicious IPs blocked automatically
Alert: Security team notified of potential credential stuffing attack
Monitoring: All accounts targeted by attack flagged for review
Customer with email forwarding rule auto-clicking reset link: Corporate email client auto-clicks links, causing unexpected password reset:
Manual confirmation: "Confirm reset" button required after clicking link (not automatic)
New password required: Even if link clicked, must enter new password
Notification: "Password reset initiated — if this wasn't you, secure your account"
Session management: Old sessions remain active until new password set (grace period)
Edge case protection: Cannot reset to same password (prevents accidental "reset")

Output

Monthly Password Reset Report

PASSWORD RESET MONTHLY REPORT — January 2026
==============================================

PERFORMANCE:
  Self-service reset rate: 99.0% (target: >95%) ✓
  Average completion time: 1.8 minutes (target: <3 minutes) ✓
  Customer satisfaction: 4.3/5.0 (target: >4.0) ✓
  
SECURITY:
  Suspicious activity blocked: 45 incidents
  Breached passwords rejected: 89
  Security incidents: 0 confirmed breaches ✓
  False positive lockouts: 12 (1.0% — acceptable)
  
COST SAVINGS:
  Tickets deflected: 1,222
  Agent time saved: 244 hours (at 12 min/ticket)
  Cost savings: $17,719/month = $212,628/year
  
RECOMMENDATIONS:
  1. Add "Show Password" toggle (reduce "caps lock" lockouts by ~15%)
  2. Implement biometric option for mobile (fingerprint/face ID for MFA)
  3. Add password manager integration hints (improve password strength)
  4. Create "Locked Out?" help page (reduce agent-assisted recoveries)
  5. Test MFA backup code flow (currently 30% fail rate on first attempt)