Merge pull request #5720 from AnuradhaSK/recovery-portal-best-practice

AnuradhaSK · web-flow · commit daad7a6d15b5 · 2025-11-20T22:49:40.000+05:30
Fix indentation issue
diff --git a/en/identity-server/6.1.0/docs/apis/recovery-portal-best-practices.md b/en/identity-server/6.1.0/docs/apis/recovery-portal-best-practices.md
@@ -4,38 +4,38 @@ This guide outlines recommended best practices for designing and deploying such
 
 1. Add reCAPTCHA to the flow initiation step
 
-   - Before sending an OTP or recovery code, require reCAPTCHA verification to block bots and brute-force attempts.
-   - Apply reCAPTCHA to:
-     - Forgot Password initiation
-     - Resend recovery code endpoints
-   - reCAPTCHA protects against automated SMS/email flooding and username enumeration.
+    - Before sending an OTP or recovery code, require reCAPTCHA verification to block bots and brute-force attempts.
+    - Apply reCAPTCHA to:
+        - Forgot Password initiation
+        - Resend recovery code endpoints
+    - reCAPTCHA protects against automated SMS/email flooding and username enumeration.
 
 2. Prevent username enumeration
 
-   - Ensure API responses didn't reveal whether an account exists.
-   - Use a generic message such as: "If the provided username is valid, an OTP will be sent to the registered email address or phone number."
-   - Return the same response for valid and invalid usernames to avoid revealing account existence.
+    - Ensure API responses didn't reveal whether an account exists.
+    - Use a generic message such as: "If the provided username is valid, an OTP will be sent to the registered email address or phone number."
+    - Return the same response for valid and invalid usernames to avoid revealing account existence.
 
 3. Enforce a short OTP or recovery link lifespan
 
-   - Set a short validity period for OTP or recovery link (recommended: 1 minute) to reduce risk from interception.
-   - A short expiration window significantly reduces exposure.
+    - Set a short validity period for OTP or recovery link (recommended: 1 minute) to reduce risk from interception.
+    - A short expiration window significantly reduces exposure.
 
 4. Increase OTP complexity
 
-   - Use stronger OTP to resist brute-force and guessing attacks:
-     - Use 6–8 digit numeric OTP or alphanumeric OTP.
-   - Stronger OTPs increase the difficulty of automated attacks.
+    - Use stronger OTP to resist brute-force and guessing attacks:
+        - Use 6–8 digit numeric OTP or alphanumeric OTP.
+    - Stronger OTPs increase the difficulty of automated attacks.
 
 5. Implement rate limiting for OTP submission
 
-   - Rate limit OTP verification endpoints by IP address.
-   - Consider progressive delays or temporary lockouts after repeated failures.
+    - Rate limit OTP verification endpoints by IP address.
+    - Consider progressive delays or temporary lockouts after repeated failures.
 
 6. Notify users of password recovery attempts
 
-   - Notify users when a password recovery flow completes successfully.
-   - Include in the notification:
-     - A warning if the user didn't initiate the request
-     - Recommended steps to secure their account
-   -  Notifications help users detect unauthorized activity early.
+    - Notify users when a password recovery flow completes successfully.
+    - Include in the notification:
+        - A warning if the user didn't initiate the request
+        - Recommended steps to secure their account
+    -  Notifications help users detect unauthorized activity early.
