Hi,
Is there a way to force a password reset after a user login?
Context:
An admin may want to have users reset their passwords the next time they login. I noticed there is an endpoint to force a reset password email, but an email to reset your password coming out of no where or just being locked out of an account seems unintuitive.
Hi @caward24,
Welcome back to the Auth0 by Okta Community!
I understand you are worried about the possible friction with having users reset their passwords. These are the solutions I’d recommend:
As an Admin, you are able to force a password reset via the Auth0 Dashboard or the Management API.
If you are worried about the flow of the email of the password reset, you could block users from logging in via their “email_verified” attribute. Users are then forced to use the forgot password flow configured on the Universal Login. This solution is described in this post:
Please let me know if there’s anything else I can do to help, I’m glad to clarify further.
Just to clarify there are 2 options:
If these are the options, I would like to talk about the second option. If I use option 2 and user cannot log in, will the user know their password has been changed? Or will they not know and keep typing their old password until they give up and choose forgotten password.
Hi @caward24,
Correct the Auth0 recommended options are to
Trigger an interactive password reset flow that sends the user a link through email. The link opens the Auth0 password reset page where the user can enter a new password.
Directly set the new password using the Auth0 Management API or the Auth0 Dashboard.
There is a third option, which is a bit more complex. Using Triggers, you can manually deny the user via one of the many user attributes. This approach is fully customizable to your needs. Here you can also redirect a user to a Custom error page.
I work for Okta Educational Services, and we are always pointing out that sending an email with a link is suspiciously like phishing and hopefully will be ignored if the user is paying any attention. The best all-around solution is to use the API to change the user’s password to some random value so they cannot log in with their old one. Then send them a message that they should go to the sign-on page and use the “I forgot my password” link to change their password. If they follow the message they aren’t getting phished because they are initiating the connection.
If they don’t see or ignore the message they simply cannot log in. Then they are very likely to use the “I forgot my password” link to fix the problem anyways. I’ve done that myself at least three times this year where clearly the vendor clearly migrated accounts or removed passwords without telling anyone.
This seems to be a typical solution for most applications. I should also point out that the only way to change your Auth0 admin account password is to use the “I forgot my password” link 