Invalidate Password when Sending Password Reset Email

Problem statement

Is it possible to invalidate a user’s current password when the user requests a password reset? This way, they are unable to log in with the existing password until they have completed the reset process.

Solution

It is not possible to do this out of the box. The main issue with this use case is that anyone can request a password reset for the user and prevent them from authenticating.

One possible solution would be to manage the reset flow directly. This would involve having a custom button that, when clicked, will set the user’s password to a random value with high entropy (so it cannot realistically be brute-forced) and subsequently send the password reset email.

Here’s what the flow would look like:

  1. User clicks the custom reset password button, which fires a request to a custom service’s backend.
  2. The service updates the user’s password to a random value via the Management API

https://auth0.com/docs/authenticate/database-connections/password-change#use-the-management-api

curl --request PATCH \
  --url 'https://{yourDomain}/api/v2/users/%7BuserId%7D' \
  --header 'authorization: Bearer {yourMgmtApiAccessToken}' \
  --header 'content-type: application/json' \
  --data '{"password": "newPassword","connection": "connectionName"}'

This prevents the user from authenticating with their old password.

  1. The service then sends the reset password email using the Authentication API

https://auth0.com/docs/authenticate/database-connections/password-change#authentication-api

curl --request POST \
  --url 'https://{yourDomain}/dbconnections/change_password' \
  --header 'content-type: application/json' \
  --data '{"client_id": "{yourClientId}","email": "","connection": "Username-Password-Authentication"}'
  1. The user can only log in once they click the link and reset their password as a new password has been set in step 2.

This assumes, however, that the user has been authenticated in another manner, so there is some certainty that it’s not someone else attempting to issue the reset. As mentioned above, if anyone can issue a reset for any email address, it opens up a vector for blocking any user at will.