Password Reset Security
Password reset is one of the most sensitive account recovery paths in any authentication system. DarkAuth keeps the public flow generic, stores reset tokens as hashes, and invalidates active state after successful reset.
Token handling
Section titled “Token handling”Reset tokens are high-entropy, time-limited, and single use. DarkAuth stores only HMAC-SHA-256 token hashes using server-side key material when available. Creating a new token consumes other active tokens for the same user.
Enumeration resistance
Section titled “Enumeration resistance”The public reset request returns the same message whether an account exists or not. Invalid, unknown, disabled, unverified, and SMTP-failure paths should not reveal account state to the requester.
Reset completion
Section titled “Reset completion”Successful reset consumes the token, replaces the OPAQUE record, records password history for reuse checks, clears reset-required state, consumes other active reset tokens, and deletes active sessions, authorization codes, and pending authorization requests.
ZK recovery limit
Section titled “ZK recovery limit”Password reset restores account access. It does not automatically recover encrypted content protected by old password-derived material. Applications using DRK-protected data must provide and document their own recovery story.