Password change self-service

Airlock IAM knows two types of password change self-services:

Voluntary password change

The user chooses to change the password and enters the old and the new password.

Airlock IAM provides

Airlock IAM provides two types of this self-service:
A protected self-service. The user needs to be logged in to use this self-service.
A step for the authentication flow. It is usually used in conjunction with dynamic step activation (DSA) and can be enabled on the username/password page.

Mandatory password change

The user is forced to change the password during the login process. The login process fails if the password cannot be changed.

Password change is enforced when:

The password change flag is set (e.g. initial password).
The policy is violated by the currently used password (and the corresponding configuration option is set).

Since the mandatory password change is part of the login process, entering the existing password is optional (depending on configuration).

The voluntary password change self-service may be used after the existing password has been stolen or revealed to non-legitimate persons.

It is therefore good practice to log out all persistently logged-in browsers and devices (OAuth, remember-me features). This can be done by configuring the corresponding steps after setting the new password.