Simulated password step

A step in the Journey Builder is a component used to configure and customize login, registration, or self-service workflow.

The Simulated password step allows brands to respond to invalid login attempts in a way that protects against account enumeration. When a customer enters a non-existent identifier (such as an email address), this step mimics the behavior of a standard password prompt without revealing whether the account actually exists. This step behaves like a real password screen—including error handling, and links—but no actual credential validation occurs.

Capabilities

  • Mimics the UI and behavior of a real password screen when the identifier does not match an existing account.
  • Returns a standard password failure response to maintain consistency and prevent information leakage.
  • Includes a "Forgot your password?" link that can route to a corresponding simulated recovery step.
  • Prevents attackers from distinguishing between valid and invalid accounts based on behavior and response timing.

Sample use cases

  • Prevent account enumeration by showing the same behavior for existing and non-existing accounts.
  • Route login attempts with unknown identifiers into a safe and consistent journey flow.
  • Delay or divert potentially malicious automation without disrupting the customer experience for valid customers.

Configuration

To add a Simulated password step to your journey, follow the steps below:

  1. Go to the Journey Builder in the left-hand menu of the Admin Console.
  2. Create a new journey or select an existing one to edit.
  3. In the canvas, select the + icon and choose Simulated password from the step list.
  4. Select the pencil icon to configure the step:
    1. Step name (optional): Internal-only label to help identify the step.
    2. Identifier source path: This is the key used to retrieve the customer identifier from the journey context. The identifier must have been passed into the journey or stored earlier in the flow.
      For example, if the journey is started from a hook using:
      callback(new StartJourney(new Journey('journey-id', { 'identifier': '[email protected]' }), session));
      
      then the source path should be set to identifier.
  5. Connect outcomes to other steps:
    1. forgottenPasswordEmail: Routes to the Simulated forgotten password email step.
    2. failure: Routes to a fallback or error path after multiple invalid attempts.

📘

This step does not validate credentials or reveal whether the identifier exists. All responses match the behavior of a legitimate login attempt.

Known limitations and behaviors

  • If a username-only identity store is used, the “Forgot your password?” link will still appear if password reset is enabled in the Self-service policy and a valid email attribute is configured for the account with a matching email authenticator.
  • This step is not effective for username-MFA or username-MFA-password flows, where MFA is required before the password step. Since the journey cannot bypass MFA to reach the password input, the simulation logic cannot be executed in these cases.
  • If a post-identification hook or a journey launched from an unidentified user hook contains slow or time-consuming logic, response times may differ noticeably between valid and invalid identifiers.
  • Simulated password and forgotten password steps do not prevent enumeration if password reset is enabled and the affected accounts lack either:
    • an email identifier, or
    • a valid email attribute mapped to the primaryEmail native claim with a corresponding email authenticator.
      To mitigate this, ensure accounts have recoverable identifiers or enable the Allow non-confirmed email-based address account recovery option in the Adaptive MFA policy.