Force a New User to Change Password on the First Login

kristi.davis · May 17, 2024, 8:49pm

Last Updated: Dec 2, 2024

Overview

This article provides steps to force a new user to reset their password upon their first login attempt. This requirement can arise from a need to enhance security or when user accounts are pre-created.

Applies To

Change Password
First Login
Actions

Solution

The following options are available to achieve this functionality:

Option 1: Utilize a Post-Login Action and a Post-Change Password Action

This option uses a combination of two actions in Auth0: a post-login action and a post-change password action.

Post-Login Action: This action checks the logic for when the user is allowed to access the application based on the needsPasswordReset flag.

// Post-login action to force password reset on first login

exports.onExecutePostLogin = async (event, api) => {

  // Check the login count to determine if it's the user's first login

  const loginCount = event.stats.logins_count;

  if (loginCount === 1) {

    // Set the needsPasswordReset flag to true for the user's first login

    await api.user.setAppMetadata(event.user.user_id, { needsPasswordReset: true });

    // Deny access and prompt the user to reset their password

    api.access.deny(`Please reset your password!`);

  } else {

    // For subsequent logins, retrieve user data to check if password reset is required
    // Check if the needsPasswordReset flag exists and is set to true

    if (userData.app_metadata.needsPasswordReset === true) {

      // If the flag is true, deny access and prompt the user to reset their password
      api.access.deny(`Please reset your password!`);
    }

    // If the flag exists and is set to false, do nothing
  }
};

Post-Change Password Action : This action uses the Management API to change the user’s metadata flag value after they change their password, allowing them to login.

// Post Change Password Action to update user metadata using the management api

exports.onExecutePostChangePassword = async (event) => {
  const ManagementClient = require('auth0').ManagementClient;
  const management = new ManagementClient({
    domain: yourAuth0Domain,
    clientId: M2M_Client_ID,
    clientSecret: M2M_Client_Secret,
    scope: 'read:users update:users',
  });
  try {
    // Update the needsPasswordReset flag to false after password reset
    await management.updateAppMetadata({ id: event.user.user_id }, { needsPasswordReset: false });
  } catch (error) {
    console.error('An error occurred while updating user metadata:', error);
  }
};

Refer to the Auth0 documentation How can I use the Management API in Actions for more details on using the Management API in Actions. This combination ensures new users are prompted to reset their passwords upon first login.

Option 2: Leverage the Forms Feature

This option uses the Forms feature. A basic example of this implementation is shown below:

Create a form with a step node to obtain the new password value from the user and a flow node to update the metadata with the new password.

Step Node Configuration: For example, the Field ID could be “password”. This ID is used to pass the field value to the flow node.

4834×926 34.7 KB
Flow Node Configuration : Modify the {{fields.ID}} placeholder in the Update a User request payload to match the Field ID from the step node (e.g., {{fields.password}} ).

52080×1648 207 KB

Publish the form.
Render Forms using Actions. Use the login count to determine if the user is new.

exports.onExecutePostLogin = async (event, api) => {
  const FORM_ID = 'ENTER FORM ID HERE';
  const loginCount = event.stats.logins_count;
if (loginCount === 1) {
  api.prompt.render(FORM_ID);
}
}

exports.onContinuePostLogin = async (event, api) => {}

After the password is changed, the user is logged in and the tenant logs will also confirm that the password was changed.

Option 3: Manual Password Reset Initiation via Email

This method involves creating user accounts with a random password and then initiating a password reset process.

Create user accounts with a randomly generated password.
Initiate the password reset for the user through one of the following methods:

Trigger a change password email to be sent to the user.
Send the user an invite email using Create a password change ticket.

This approach ensures that the user must:

Have access to the email address associated with their account.
Set their own password before their initial login.

Topic		Replies	Views
Auth0 setting to force password reset after first login? Get Help lock , auth0 , login	11	22357	December 10, 2019
Forcing Users to reset password on first login Get Help management-api , users	2	914	April 19, 2024
Password reset at first login Get Help login-experience , new-universal-login-experience	2	1131	October 27, 2023
How to require users imported through the Management API to change their password the first time they log in？ Get Help management-api , users	2	49	December 30, 2024
Force user on first Login to reset their password Get Help password , login , hooks	4	7892	October 13, 2022

Force a New User to Change Password on the First Login

Overview

Applies To

Solution

Related topics