WF-117: Account Recovery
Workflow ID: WF-117 Category: Security Priority: P2 Last Updated: January 11, 2026
Overview
This workflow handles account recovery for users who are locked out, including identity verification, password reset, MFA reset, and support escalation procedures.
Trigger Events
- User clicks "Forgot Password"
- User cannot complete 2FA
- User reports lost device
- Account locked due to failed attempts
- Support ticket for access recovery
Sequence Diagram
Process Steps
1. Self-Service Password Reset
Standard Flow:
- User clicks "Forgot Password" on login page
- Enter registered email address
- Receive email with reset link (valid 1 hour)
- Click link, enter new password
- Login with new password
Password Requirements:
| Requirement | Rule |
|---|---|
| Length | Minimum 12 characters |
| Complexity | Upper, lower, number, symbol |
| History | Cannot reuse last 5 passwords |
| Expiry | Link expires in 1 hour |
2. MFA Recovery Options
Option A: Backup Codes
If user has backup codes:
- Select "Use backup code" on 2FA screen
- Enter one of 10 pre-generated codes
- Login successful
- Warned to regenerate codes
Option B: Recovery Email
If backup email H.P.009-CONFIGured:
- Request recovery to backup email
- Verify via backup email link
- Temporarily disable 2FA (30 minutes)
- Login and reH.P.009-CONFIGure 2FA
Option C: Support Ticket
If no backup methods available:
- Submit support ticket
- Identity verification required
- Admin approval needed
- Manual MFA reset
3. Identity Verification
Required Documents (Any 2):
| Document Type | Examples |
|---|---|
| Government ID | Passport, Driver's License |
| Address Proof | Utility bill, Bank statement |
| Employment | Company email verification |
| Payment | Credit card last 4 digits on file |
Verification Process:
Day 1: User submits ticket + documents
Day 1-2: Support reviews documents
Day 2-3: Admin approval/denial
Day 3: MFA reset executed (if approved)
4. Account Unlock
Lockout Triggers:
| Trigger | Lock Duration | Unlock Method |
|---|---|---|
| 5 failed passwords | 15 minutes | Wait or reset |
| 10 failed passwords | 1 hour | Reset only |
| 3 failed 2FA | 30 minutes | Wait or backup |
| Security flag | Indefinite | Support ticket |
Automatic Unlock:
- Wait for lockout duration
- Use password reset flow
Manual Unlock:
- Admin unlocks via dashboard
- Requires audit trail entry
5. Support Escalation
Escalation Path:
Level 1: Automated recovery
↓ (Failed)
Level 2: Support ticket + ID verification
↓ (Failed or flagged)
Level 3: Admin review + manual verification
↓ (Failed or suspicious)
Level 4: Security team investigation
API Endpoints
| Endpoint | Method | Purpose |
|---|---|---|
/api/v1/auth/recovery/initiate | POST | Start recovery flow |
/api/v1/auth/recovery/verify | POST | Verify recovery token |
/api/v1/auth/recovery/password | POST | Set new password |
/api/v1/auth/recovery/mfa | POST | Request MFA reset |
/api/v1/auth/recovery/backup-code | POST | Use backup code |
Request: Initiate Recovery
POST /api/v1/auth/recovery/initiate
{
"email": "user@example.com",
"recovery_type": "password"
}
Response
{
"status": "email_sent",
"recovery_id": "rec_123",
"expires_at": "2026-01-11T13:00:00Z",
"masked_email": "u***@example.com"
}
Email Templates
Password Reset Email
Subject: Reset your CODITECT password
Hi [Name],
We received a request to reset your password.
Reset your password: [RESET_URL]
This link expires in 1 hour.
If you didn't request this, ignore this email.
Your password will not change.
- CODITECT Security Team
MFA Reset Notification
Subject: Two-factor authentication has been reset
Hi [Name],
Your two-factor authentication has been reset.
Action required: Log in and set up 2FA again.
If you didn't request this, contact support immediately.
- CODITECT Security Team
Security Measures
| Measure | Implementation |
|---|---|
| Rate limiting | 3 recovery requests per hour |
| Token expiry | 1 hour for password, 24h for MFA ticket |
| Notification | Email on all recovery actions |
| Audit logging | All attempts logged |
| IP tracking | Recovery attempts from unusual IPs flagged |
Audit Events
| Event | Logged |
|---|---|
recovery.initiated | Email, Type, IP |
recovery.token.validated | Token ID, Result |
recovery.password.changed | User ID, IP |
recovery.mfa.requested | User ID, Reason |
recovery.mfa.approved | Admin ID, User ID |
recovery.mfa.denied | Admin ID, User ID, Reason |
account.unlocked | Admin/Auto, User ID |
Error Messages
| Error | User Message | Support Action |
|---|---|---|
EMAIL_NOT_FOUND | "Check your email" (same msg) | Verify email |
TOKEN_EXPIRED | "Link expired, request new one" | Resend |
RATE_LIMITED | "Too many attempts, wait 1 hour" | Wait or escalate |
VERIFICATION_FAILED | "Verification failed" | Manual review |
Related Workflows
Last Updated: January 11, 2026