Password reset self-service

If the user cannot remember the password, a new password can be chosen with this self-service.

• In order to do so, the user must usually provide (example):
• The username or alias.
• One of:
• Have access to the email account linked with the account.
• Have access to the mobile phone linked with the account.
• Know the correct answers to previously recorded secret questions.
• Optionally, a second authenticator factor (e.g. Airlock 2FA) is involved.
• Optionally, log out all persistently logged-in sessions (OAuth, remember-me).

Security Advisory

Enabling the password reset self-service may reduce the security of the whole system. Please check the security requirements of your solution before enabling this feature.

Some end-users use password reset to change an existing password (even if a password change self-service is available) after the existing password has been stolen or revealed to non-legitimate persons.

It is therefore good practice to log out all persistently logged-in browsers and devices (OAuth, remember-me features). This can be done by configuring the corresponding steps after setting the new password.

• Configuration in the Loginapp REST UI: Password reset in the Loginapp REST API / UI
• Triggering password reset from the Adminapp: Password management in the IAM Adminapp
• Configuration in the JSP-Loginapp: Password reset-configuration (JSP-Loginapp)