Forgot Password

Typically, your application would not need to direct a user to reset his or her password. A user would reset it by clicking the Forgot Password link on the NYC.ID Login page. You may want to direct a user to reset his or her password when you are integrating NYC.ID with an existing application that meets the following criteria:

  1. Your application supports SAML, and
  2. your application has enabled authentication via social identity providers, and
  3. a user has authenticated with your application and is attempting to re-authenticate via the Authenticate Web Service v2 or Authenticate Web Service v3, and
  4. a reason of notFound is returned. This indicates that the user authenticated with a social identity provider and does not have a linked NYC.gov account.

Integrating Forgot Password

In the above scenario, your application should send the user to this relative URL to reset his or her password:

GET /account/forgotPassword.htm

For additional functionality, you can include the following optional parameters.

Parameter Name Parameter Description
fromKiosk (Deprecated) This parameter is passed to the Create Account page. Learn about Registration.
target

The URI (encoded in Base64) that the user is sent to after completing the forgot password process.

The "target" query string parameter must have a domain name of [an error occurred while processing this directive]. Please contact nycidintegration@doitt.nyc.gov to add your domain name to the list of valid domains.
lang A language code. Learn about Internationalization and Localization for a list of supported language codes. Defaults to en.
emailAddress The value to display and populate within the Email Address or Username field
spName Your application's SAML Service Provider (SP) Metadata name, found in the NYC.ID Console. This value is used to override the Application Brand Banner computed from the "target" parameter. Learn more about Application Brand Banner Logic
! IMPORTANT: If the "target" parameter isn't specified or is invalid, NYC.ID will send the user to NYC.gov

When a user visits the Forgot Password page,

  1. the user enters his or her email address or username and clicks the Submit button.
  2. A user will be directed to reset his or her password
    1. via email, or
    2. by answering a security question
  3. If the user is logged in and the user has a validated email address, NYC.ID will direct the user to his or her Account Profile.
NOTE: If a user doesn't have security questions and has a username, the user cannot reset his or her password.

 

Resetting via Email

If the user has an email address,

  1. the user receives an email, which contains a reset password link.
  2. When the user clicks the link, the Reset Password page appears.
    NOTE: The password reset link in the email expires in 72 hours.
  3. The user must enter a new password. If a user's account does not have security questions associated with it, the user will be prompted to select and answer them.
  4. The user clicks the Save Password button.
    ! IMPORTANT: All active OAuth access tokens for the user are revoked. Learn about Mobile.
  5. To return to your application via the URL specified in the "target" parameter, the user clicks the Continue button.

 

Resetting via Security Questions

If the user does not have an email address,

  1. a user is prompted to answer the security question associated with the user's account.
  2. ! IMPORTANT: After five consectuve failed attempts to answer the security question, a user must wait fifteen minutes before making a consecutive attempt.
  3. When the user clicks the Continue button, the Reset Password page appears.
  4. The user must enter a new password.
  5. The user clicks the Save Password button.
    ! IMPORTANT: All active Oauth access tokens for the user are revoked. Learn about Mobile.
  6. To return to your application via the URL specified in the "target" parameter, the user clicks the Continue button.