--- name: automated-password-reset description: Fully automate password reset and account recovery without agent involvement including multi-factor authentication, identity verification, account lockout handling, suspicious activity detection, and security audit logging. Use when setting up self-service password reset, handling account lockouts, configuring identity verification, managing MFA recovery, or automating account recovery workflows. Triggers on phrases like "password reset", "forgot password", "account recovery", "account lockout", "MFA recovery", "identity verification", "login issues", "account locked". --- # Automated Password Reset & Account Recovery Fully automate password reset and account recovery processes, eliminating agent involvement while maintaining security through multi-factor verification and suspicious activity detection. ## Workflow ### 1. Password Reset Flow 1. **Standard password reset process**: - Customer clicks "Forgot Password" on login page - System sends verification email to account email - Customer clicks time-limited link (valid for 15 minutes) - Customer enters new password (with strength requirements) - System validates: complexity, not reused (last 6 passwords), not in breach database - Password updated, all sessions revoked, confirmation email sent - Audit log entry created (timestamp, IP address, user agent) - Total time: <2 minutes 2. **Alternative verification methods**: - Email verification (primary) - SMS code (secondary, if phone on file) - Authenticator app (if MFA already configured) - Security questions (fallback, 3 of 5 correct) - Identity document verification (for high-security accounts, rare) 3. **Password requirements enforcement**: - Minimum 12 characters - Must include: uppercase, lowercase, number, special character - Cannot match last 6 passwords - Cannot contain username, company name, or common patterns - Checked against known breached passwords (HaveIBeenPwned API) - Real-time strength indicator during entry ### 2. Account Lockout and Recovery 1. **Lockout prevention and handling**: - Progressive delay: After 5 failed attempts, 1-minute delay; after 10, 5-minute delay; after 15, 30-minute lockout - No lockout for password reset flow (prevents denial-of-service) - CAPTCHA after 3 failed attempts (prevents automated attacks) - Account notification: Email sent when lockout occurs - Self-unlock: Wait period or password reset to unlock 2. **Identity verification for locked accounts**: - Customer requests unlock → system sends multi-factor verification - Verification options based on available contact methods - If no contact methods available → customer support escalation (rare) - After verification: Account unlocked, password reset required ### 3. Security and Monitoring 1. **Suspicious activity detection**: - Multiple password resets from different IPs in short period - Password reset from new device/location - Reset requests from known malicious IP ranges - Bulk reset attempts (potential credential stuffing) - Auto-escalation: Flag for security review, require additional verification 2. **Audit logging**: - Every password reset attempt logged (success/failure) - IP address, user agent, geolocation recorded - Verification method used - Time stamps for all events - Logs retained for 12 months (compliance requirement) ## Templates & Frameworks ### Password Reset Analytics Dashboard ``` PASSWORD RESET & ACCOUNT RECOVERY DASHBOARD — January 2026 =========================================================== VOLUME METRICS: Password resets completed: 1,234 this month (↑ 8% from December) Account lockouts: 234 this month (↓ 12% from December) ✓ MFA recovery requests: 89 this month Agent-assisted recoveries: 12 (1.0% of total — self-service rate: 99.0%) ✓ Self-service success rate: 96.8% (no agent needed) Average completion time: 1.8 minutes Abandonment rate: 5.2% (customer didn't complete reset) RESET BY TRIGGER: Trigger | Count | % of Total | Avg Time ----------------------------------|---------|------------|---------- "Forgot Password" on login | 834 | 67.6% | 1.5 min Account lockout (too many tries) | 234 | 19.0% | 2.3 min Security alert (suspicious login)| 89 | 7.2% | 2.1 min Customer support request | 45 | 3.7% | 3.4 min MFA recovery | 32 | 2.6% | 2.8 min Total: 1,234 VERIFICATION METHOD USAGE: Method | Usage | Success Rate | Avg Time ----------------------------|---------|--------------|---------- Email verification link | 912 | 98.7% | 1.2 min SMS code | 189 | 97.4% | 1.4 min Authenticator app | 89 | 99.1% | 1.1 min Security questions | 23 | 78.3% | 3.2 min Agent-assisted | 12 | 100% | 12.4 min SECURITY METRICS: Suspicious activity detected: 45 this month Credential stuffing attempts: 23 (blocked) Password reset abuse: 12 (flagged) Phishing-related resets: 6 (investigated — all false) Other suspicious: 4 (under review) Breach database matches: 89 passwords rejected (would have been compromised) Password reuse attempts: 67 blocked (within last 6 passwords) Weak password attempts: 234 rejected (didn't meet requirements) SECURITY INCIDENT RATE: 0.01% of all resets (extremely low) ✓ PASSWORD STRENGTH TREND: Average password score: 7.8/10 (↑ 0.3 from December) ✓ Distribution: Excellent (9-10): 34% (↑ 5%) Good (7-8): 42% (↑ 3%) Acceptable (5-6): 18% (↓ 5%) Weak (<5): 6% (↓ 3%) ✓ ACCOUNT LOCKOUT ANALYSIS: Total lockouts: 234 Average failed attempts before lockout: 12.3 Average lockout duration: 28 minutes Self-unlock rate: 94.0% (customers unlocked themselves) Agent-assisted unlock: 14 (6.0%) Lockout root causes: Typo in password: 89 (38.0%) Forgotten password: 78 (33.3%) Caps lock on: 34 (14.5%) Account sharing/multiple users: 18 (7.7%) Suspicious activity (potential breach): 15 (6.4%) COMPLIANCE & AUDIT: Audit log completeness: 100% ✓ Log retention: 12 months (meets compliance requirement) ✓ PII in logs: None (IP addresses hashed) ✓ GDPR-compliant reset flow: Yes ✓ SOC 2 audit status: Passed (last audit: Nov 2025) AGENT SUPPORT IMPACT: Tickets deflected by self-service: 1,222 Average cost per agent-assisted ticket: $14.50 Cost savings from self-service: $17,719 this month Agent-assisted recovery tickets: 12 (1.0%) Reasons for agent assistance: No contact method available: 5 Email not received (inbox issue): 4 MFA device lost: 2 Account takeover suspected: 1 ``` ### Account Recovery Decision Tree ``` ACCOUNT RECOVERY DECISION TREE =============================== CUSTOMER CAN'T ACCESS ACCOUNT → Determine scenario: SCENARIO A: Forgot Password (Most Common — 68%) 1. Click "Forgot Password" on login page 2. Enter account email 3. Receive verification link (check spam folder) 4. Click link → set new password 5. Log in with new password Resolution: Self-service, no agent needed SCENARIO B: Account Locked (19%) 1. Wait for lockout period to expire (shown on screen) 2. Try password again (use password reset if forgotten) 3. If still locked after 3 attempts → use password reset flow Resolution: Self-service, no agent needed SCENARIO C: Email Not Received (7%) 1. Check spam/junk folder 2. Wait 2 minutes (email delivery delay) 3. Click "Resend" on reset page 4. If still not received → check email address correct 5. If email is wrong → use "Update email" flow Resolution: Self-service in 80%, agent needed for 20% SCENARIO D: MFA Device Lost (3%) 1. Click "Can't access your device?" on MFA screen 2. Verify identity via backup method (email/SMS) 3. Set up new MFA device 4. If no backup method → agent assistance required Resolution: Self-service in 70%, agent needed for 30% SCENARIO E: Suspected Account Takeover (3%) 1. Click "Someone else is using my account" 2. System locks account immediately 3. Security team investigates 4. Customer identity verified via phone call 5. Account recovered, password reset, MFA reconfigured Resolution: Agent/security team required SCENARIO F: No Contact Method Available (Rare — <1%) 1. Contact support with account information 2. Provide: Company name, account email, approximate signup date 3. Answer security questions 4. Agent verifies identity via alternative method 5. Account recovered Resolution: Agent required ``` ## Integration Points - **Identity management** (Auth0, Okta, Azure AD): Authentication, MFA, password policies - **Email/SMS** (SendGrid, Twilio): Verification code delivery - **Security databases** (HaveIBeenPwned, CyberChef): Breached password detection - **Help desk** (Zendesk, Intercom): Escalation for failed self-service - **SIEM** (Splunk, Datadog Security): Suspicious activity monitoring - **Audit systems** (internal logging): Compliance audit trails - **Customer database**: Account data, contact methods, security settings ## Edge Cases - **Customer email changed and old email inaccessible**: Customer updated email, forgot password, can't receive reset on old email: - Prevention: Require email verification before email change completes - Recovery: Security questions + ID verification via support - Alternative: Phone verification if number on file - Policy: New email change requires password confirmation (prevents unauthorized changes) - Customer education: "Keep your recovery email up to date" - **Customer organization requires SSO but individual password reset needed**: Enterprise customer with SSO needs password reset for non-SSO access: - SSO bypass: "Reset non-SSO password" separate flow - Admin override: Company admin can force password reset from SSO admin - Fallback: Email-based reset for emergency access - Documentation: Clear distinction between SSO and local password - **Password reset link phished**: Customer received legitimate reset link but was tricked into clicking on attacker's device: - Link expiration: 15-minute validity window - IP/device change detection: Reset from unusual location requires additional verification - Post-reset notification: "Your password was changed on [device] from [location]" - Customer alert: If customer reports phishing, immediately lock account and revoke sessions - Education: "Never share verification codes or click links from unexpected emails" - **High-volume reset attempts (credential stuffing)**: 500+ password reset requests from same IP range in 1 hour: - Rate limiting: Max 5 reset requests per IP per hour - CAPTCHA: Triggered after 3rd attempt per IP - IP blocking: Known malicious IPs blocked automatically - Alert: Security team notified of potential credential stuffing attack - Monitoring: All accounts targeted by attack flagged for review - **Customer with email forwarding rule auto-clicking reset link**: Corporate email client auto-clicks links, causing unexpected password reset: - Manual confirmation: "Confirm reset" button required after clicking link (not automatic) - New password required: Even if link clicked, must enter new password - Notification: "Password reset initiated — if this wasn't you, secure your account" - Session management: Old sessions remain active until new password set (grace period) - Edge case protection: Cannot reset to same password (prevents accidental "reset") ## Output ### Monthly Password Reset Report ``` PASSWORD RESET MONTHLY REPORT — January 2026 ============================================== PERFORMANCE: Self-service reset rate: 99.0% (target: >95%) ✓ Average completion time: 1.8 minutes (target: <3 minutes) ✓ Customer satisfaction: 4.3/5.0 (target: >4.0) ✓ SECURITY: Suspicious activity blocked: 45 incidents Breached passwords rejected: 89 Security incidents: 0 confirmed breaches ✓ False positive lockouts: 12 (1.0% — acceptable) COST SAVINGS: Tickets deflected: 1,222 Agent time saved: 244 hours (at 12 min/ticket) Cost savings: $17,719/month = $212,628/year RECOMMENDATIONS: 1. Add "Show Password" toggle (reduce "caps lock" lockouts by ~15%) 2. Implement biometric option for mobile (fingerprint/face ID for MFA) 3. Add password manager integration hints (improve password strength) 4. Create "Locked Out?" help page (reduce agent-assisted recoveries) 5. Test MFA backup code flow (currently 30% fail rate on first attempt) ```