Simulated forgotten password email step

A step in the Journey Builder is a component used to configure and customize a login, registration, or self-service workflow.

The Simulated forgotten password email step lets brands mimic the password recovery experience without revealing whether an account exists. This step is used as a follow-up to a Simulated password step and maintains consistency in messaging and behavior to protect against account enumeration.

Capabilities

  • Mimics email-based password reset flow without sending an actual email.
  • Displays a generic confirmation message using a dynamic target.
  • Allows journey logic to continue without revealing account existence or triggering backend operations.
  • Supports the "Not you?" use case by resetting the journey flow.

Sample use cases

  • Display a consistent recovery flow for non-existent accounts without sending real reset emails.
  • Prevent enumeration through password reset behavior while maintaining a positive customer experience.

Configuration

To add a Simulated forgotten password email step to your journey, follow the steps below:

  1. Go to the Journey Builder in the left-hand menu of the Admin Console.
  2. Create a new journey or select an existing one to edit.
  3. In the canvas, select the + icon and choose Simulated password from the step list.
  4. Select the pencil icon to configure the step:
    1. Step name (optional): Internal-only label to help identify the step.
    2. Identifier source path: This is the key used to retrieve the customer identifier from the journey context. The identifier must have been passed into the journey or stored earlier in the flow.
      For example, if the journey is started from a hook using:
      callback(new StartJourney(new Journey('journey-id', { 'identifier': '[email protected]' }), session));
      
      then the source path should be set to identifier.
    3. Target source path: This defines the key that contains the value used for the confirmation text ("We have emailed you a link to [email protected]"). The actual value is passed into the journey context.
      You can provide this value when starting the journey from a hook:
      callback(new StartJourney(new Journey('journey-id', {
        'identifier': '[email protected]',
        'targetKey': '[email protected]'
      }), session));
      
      In this case, you would set:
      • Identifier source path = identifier
      • Target source path = targetKey
  5. Connect the failure outcome to the next step in the journey.

📘

This step does not send an email. It only simulates the customer experience of a password reset to help prevent account discovery by attackers.

Known limitations and behaviors

  • If a username-only identity store is used, the “Forgot your password?” link will still appear if password reset is enabled in the Self-service policy and a valid email attribute is configured for the account with a matching email authenticator.
  • This step is not effective for username-MFA or username-MFA-password flows, where MFA is required before the password step. Since the journey cannot bypass MFA to reach the password input, the simulation logic cannot be executed in these cases.
  • If a post-identification hook or a journey launched from an unidentified user hook contains slow or time-consuming logic, response times may differ noticeably between valid and invalid identifiers.
  • Simulated password and forgotten password steps do not prevent enumeration if password reset is enabled and the affected accounts lack either:
    • an email identifier, or
    • a valid email attribute mapped to the primaryEmail native claim with a corresponding email authenticator.
      To mitigate this, ensure accounts have recoverable identifiers or enable the Allow non-confirmed email-based address account recovery option in the Adaptive MFA policy.