In “Reset password flow” in case the user provides their username, OTP will be sent to the user’s email by default - can it be changed? Is it possible to give the user an opportunity to pick a preferable device for OTP retrieval: either a phone number or an email - same it is done in MFA flow?
Hi @kapitoshka,
Welcome to the Auth0 Community!
Unfortunately, there is no built-in option to allow the user to choose a different delivery method, such as SMS, during the process. In the standard Auth0 “Reset Password” flow, the one-time password (OTP) or reset link is sent to the user’s primary email by default.
The core reason for this design is security and simplicity. The password reset flow is intended to use the primary, verified channel—the user’s email address—to ensure that the person requesting the reset is the legitimate owner of the account.
The MFA flow, on the other hand, is designed as a layer of security by challenging the user on a secondary device. Because its purpose is to provide options for that second factor, it is built to handle choices like “email,” “SMS,” or “authenticator app.” The password reset flow has a different primary goal: secure, single-channel account recovery.
While you cannot change the default behavior with a simple switch, you can achieve this user experience by building a custom password reset flow using the Auth0 APIs. This gives you complete control over the user interface and logic.
Here’s a high-level overview of the steps:
- Create a Custom UI: Build your own “Forgot Password” page where users can enter their username or email.
- Look Up User Factors: After the user provides their identifier, your backend server should use the Auth0 Management API to find the user and retrieve their enrolled and verified communication channels (e.g., primary email and phone number).
- Present the Choice: On your custom page, display the available options to the user (e.g., “Send code to
j***@e***.com” or “Send code to***-***-1234”). - Send the OTP:
- If the user chooses email, you can trigger the standard password reset email using the Authentication API.
- If the user chooses SMS, you must integrate with a third-party SMS provider (like Twilio). Your backend would generate a secure, short-lived OTP and send it via the SMS provider’s API.
- Verify and Complete: The user would then enter the OTP into your verification form. If the code is valid, use the Management API to complete the password reset.
You can use the Change a User’s Password documentation as a guideline. It outlines the different API endpoints you would need.
Also, be very careful about security. Implement rate limiting on your API endpoints to prevent abuse.
If you have any further questions, feel free to reach out.
Have a good one,
Vlad
1 Like
@vlad.murarasu thank you!
1 Like