Can't log in after password reset

We just received our second customer report related to an inability to log in after a successful password reset. The problem can be summarized as follows:

  1. User clicks our Forgot Password link.
  2. We ask them for their email and send them a reset link.
  3. They follow the reset link and are taken to the Password Reset page in Auth0.
  4. They enter the new password and confirm it.
  5. Auth0 monitoring shows that password reset was successful for the user.
  6. The user attempts to log in with the same password.

RESULT: Login fails. Auth0 logs show that the login failed due to a password mismatch.

In both cases the customer swears they are using the same password in the reset process as they are when they attempt to log in. We have asked them to use the clipboard and paste the new password in all the places to avoid any sort of typing error. And our support team has walked them through the process multiple times (e.g. in Incognito) to try and figure out what might be going on.

Other users can go through this flow just fine. And if I grab the password one of these users was using (right out of a signin.har they provided), I am able to use that password in a password reset operation on one of my own accounts. So I don’t think there is any “magic” to the password being chosen.

I have asked for a password.reset.har from the customer to see if there are clues there but I am not optimistic. I don’t believe that it will show that they are using different passwords (because we told them to use the clipboard).

Is there any other way that I can debug this? Is there some way for me to look at a hash saved in Auth0 and compare that to a generated hash of their password?

We were able to resolve this but we still don’t know what/why/how.

I reset the user’s password manually in the Auth0 portal and asked them to sign in with the password that I used. They were unsuccessful–they got same error (“wrong password”
in the Auth0 logs).

I reset the user’s password again in the Auth0 portal using the same process and the same password. Next I got on a call with the user and I logged in as them using the password I set. This was successful.

I logged out and asked the user to log in again with the same password. To everyone’s great astonishment, the user was successful this time.

Then we had the user go through the entire password reset → sign in with new password flow. This was successful as well.

It is almost as if the user’s IP was blocked for some reason, but when impersonated them using a different IP I somehow unblocked the user. But obviously that’s just wild speculation.

FWIW, when the user was having problems signing in I did check the Auth0 portal and the management API to see if the user was blocked in any way. Neither the portal nor the API showed any blocks.