Account Recovery
Practical patterns for password reset and recovery flows that are secure, calm, and accessible.
01 — Foundation
Recovery flows restore access calmly
Forgotten passwords are stressful — the UI should reduce panic, not add it.
Account recovery — password reset, magic links, backup codes — is security critical and emotionally charged. Clear steps, honest messaging, and accessible forms help users get back in without support tickets or abandoned accounts.
02 — Reset
Password reset requests
Tell users what happens next without leaking whether an account exists.
- single-purpose form — email or username with a clear submit label
- neutral success message — “If an account exists, we sent instructions”
- do not reveal whether an email is registered — prevents account enumeration
- link expiry and rate limiting handled server-side; UI explains delays calmly
<p role="status">
If an account exists for that email, you will receive reset instructions shortly.
</p>03 — New password
Setting a new password
Requirements should be visible before submit, not only in error messages.
- show password rules up front; confirm field when policy requires it
- handle expired or invalid tokens with a clear path to request a new link
- success confirms login or next step — “Password updated. Sign in.”
- accessible labels, errors, and focus — see Accessible Forms
04 — Security
Trust and abuse resistance
Recovery is a favourite attack surface — UX must not undermine defences.
- HTTPS everywhere; never send credentials in query strings
- optional MFA or backup codes documented where your product supports them
- suspicious activity messaging without alarming every legitimate user
05 — Review
Before you approve
A short checklist for account recovery in code review.
- reset request does not enumerate accounts; instructions are clear
- token expiry and errors offer a recovery path
- forms are accessible; success and failure are specific