Skip to content

Reset your password

Password recovery does not reveal whether an account exists. It creates a short-lived backend challenge and exposes only the verification methods allowed for that account and policy.

Typical time
5–10 minutes
You need
Email or authenticator access
Outcome
A new password and fresh sign-in
  1. On Sign in, choose Forgot password?.
  2. On Reset password, enter Email address.
  3. Choose Continue once and wait for Preparing recovery….
  4. Use Sign in if you remember the password.
  5. Use Create account only when you do not have an account.

The response remains deliberately neutral. Do not use recovery messages to test whether another person has an account.

Recovery 1 of 5 · Screenshot placeholder

Start a protected password reset

Show Reset password, Email address, Continue, Sign in, and Create account.

Future capture briefUse a synthetic email. Hide URL parameters, real identities, browser history, cookies, tokens, and password-manager data.

The page changes to Verify identity and displays only a masked account and the allowed verification methods.

  1. Choose Email code or Authenticator code.
  2. For email, wait for the automatic send or choose Resend code once.
  3. For authenticator, open the correct enrolled account in your app.
  4. Do not share either code.

Changing methods selects and prepares that backend challenge method. Starting a new reset invalidates assumptions about an older challenge.

Recovery 2 of 5 · Screenshot placeholder

Choose an allowed recovery method

Show Verify identity, masked Account, Email code, Authenticator code, and Back to recovery.

Future capture briefNever show a real email, code, challenge ID, query string, authenticator screen, or account-existence signal.
  1. Enter the six-digit Verification code or Authenticator code.
  2. Choose Verify identity and wait for Verifying….
  3. If the email code expired, choose Resend code once and use the newest one.
  4. If the recovery session is missing, choose Back to recovery and start over.

Recovery 3 of 5 · Screenshot placeholder

Verify the reset challenge

Show the selected method, empty code field, Resend code where applicable, Verify identity, and the persistent status banner.

Future capture briefKeep the code empty and hide challenge IDs, expiry values, inbox content, authenticator data, tokens, and cookies.

The page title changes to New password. That transition proves the current reset challenge was authorized; it does not authenticate a normal product session.

  1. Enter New password.
  2. Follow the displayed policy, including at least 12 characters, uppercase, and a special character when required.
  3. Enter Confirm password exactly.
  4. Choose Update password and wait for Updating password….
  5. On Sign in, confirm Password updated. Sign in with your new password.

Recovery 4 of 5 · Screenshot placeholder

Set and confirm the new password

Show New password, Confirm password, password requirements, Update password, and Back to recovery.

Future capture briefKeep both passwords masked. Exclude password-manager suggestions, codes, account data, URLs, tokens, cookies, and browser storage.

Use the new password on Sign in. Complete any required second factor. Do not expect the reset page to create a signed-in session.

Recovery 5 of 5 · Screenshot placeholder

Confirm password reset completion

Show Sign in with the Password updated notification and empty password field.

Future capture briefUse a synthetic masked email. Hide passwords, codes, session data, cookies, tokens, URLs, and browser storage.

Start again once. If the account has no reachable permitted factor, use your organization’s verified recovery process. Do not create a bypass.

Confirm the selected method and use the newest current code. Do not repeatedly guess; challenges expire and attempts can be rate limited.

Meet every visible password requirement and make both values match exactly.

The reset page says the session is unavailable

Section titled “The reset page says the session is unavailable”

Use Back to recovery. Never edit or reuse the challenge URL.