Forgot Password Page

About this block

Forgot Password Page is the rare honest version of this screen: the muted callout inside the card tells the user explicitly that the page returns the same response whether or not an account exists for the address, and explains why, it stops the form being used to check who has an account. The main form is a single email input and a Send reset link button. The footer carries the timing facts: links arrive within a minute, expire after 15, sending a new one cancels the old, and current sessions stay signed in until the password changes.

No data arrays are needed; the anti-enumeration note is inline copy. Stating the reason for the identical response earns more user trust than hiding it.

When to use

Reach for this block as the password recovery entry point, wired to your reset-link issuer endpoint. The endpoint must return the same HTTP status and body regardless of whether the email is found; the card copy backs that guarantee up front.

A natural flow around it on an Application Pro page:

Before

• Sign in page

After

• Sign in page

What you can display

One strong use is the account recovery form. Other shapes:

• Sent confirmation. A second state card after submit matching the magic link sent card pattern.
• SSO redirect. When the email domain matches a SAML tenant, swap the form for a Continue with SSO prompt instead.
• Admin reset. Admins triggering a forced reset for a team member; subheading names the target account.

Tip: publish the timing facts in the footer even before the user submits; users who see links expire after 15 minutes do not wait 30 then file a ticket.