Feature: An event should be logged whenever a user clicks a password reset link in order to view the password reset page.
Use-case:
Like most organizations, some of the most common issues our support team deals with are users who have trouble logging in. Upon investigation we typically find that they have tried several different usernames/passwords, and typically even requested to reset their passwords multiple times. All of this activity is visible in the Auth0 console under the User->History, as well as any “Success Change Password” event if they get that far.
However, the one event that does not seem to get logged is related to the user’s attempts to open reset password links. If we were able to see that users were clicking on expired links, or if they were clicking on valid links but somehow failing to change their password, then this could help to confirm what is really going on, and we could therefore provide clearer instructions to the user. As it stands, until they actually change their password, we have no visibility as to whether they even received & opened the emails to attempt to reset their password.
In the following example, we can see that the user is failing to use the correct password, and they’ve requested to reset their password multiple times, but we cannot determine whether they have received the email in their inbox and clicked some valid or invalid/expired link:
When this user reports that they cannot login or reset their password, we have to first ask them to confirm that they are receiving the password reset emails, and then we have to guess that they must be clicking an invalid/expired link. If we knew they were clicking a link that was invalid or expired, then we could avoid the guessing game and give them concrete instructions to help them reset their password and move on.
Description:
Logging an event whenever a password reset link is clicked - and whether the link was valid vs invalid/expired - would help our team to establish whether the email made it to the user’s inbox.
It appears that a fcpr (Failed Change Password Request) event is current logged to our tenant with the message “Ticket required for verification” in the event that someone visits the /u/reset-verify URL without the required ticket parameter.
My feedback here is that a similar event should be logged whenever the URL is visited in general. At the very least, an event should be logged when the ticket parameter has been invalidated or expired, since this information is invaluable when troubleshooting what is going wrong when a user reports an inability to reset their password / login.
This information could additionally inform decision-making around the password reset flow in general, since we would be able to determine how many users are able to complete the flow on the first try vs how many users get stuck due to invalid/expired links in their inbox.
