ch87r (ch87r) asked a question.
Hello,
I'm developing an app which provides to their users the ability to recover their password.
The flow I am using is starting with a call to the endpoint api/v1/authn/recovery/password.
After this, I exchange the recovery token for a state token using the api/v1/authn/recovery/token.
This is followed by a confirmation of the security question (api/v1/authn/recovery/answer) and then the password definition (api/v1/authn/credentials/reset_password) and here's the issue.
The reset_password call returns a status "MFA_REQUIRED" but the user password gets changed immediately.
I can see that during the whole process, the user account never changes to RECOVERY, stays always ACTIVE.
Having a state token in a status "MFA_REQUIRED", shouldn't it change the password only AFTER the user verifies the received passcode?
As far as I understood, the user account stays active because he might remember the old password during this process, but when he submits the call to change the password, shouldn't the account be converted into "RECOVERY" until he verifies the passcode?
It sounds like a security issue that, after confirming the security answer having a free opening to compete the recovery password without confirming the MFA.
Is this flow correct?
Thanks for the attention.
Hello @ch87r (ch87r) Thank you for reacting out to our Community!
The status should indeed change to "RECOVERY_CHALLENGE", please see our doc below with the required steps and review the current action taken. Please also make sure that all conditions are meet:
https://developer.okta.com/docs/reference/api/authn/#recovery-operations
My advice would be to leverage the Okta Developer forums for this type of questions and take advantage of their expertise.
https://devforum.okta.com/
The Okta Community Catalysts Program is now live. Collect online badges when you participate in the Okta Help Center Questions community. Learn more here.
The October issue of the Okta Community is here and packed with tips on certification, how to earn badges, and new releases. Let us help you stay connected.