Password reset self-service

If the user cannot remember the password, a new password can be chosen with this self-service.

  • In order to do so, the user must usually provide (example):
  • The username or alias.
  • One of:
    • Have access to the email account linked with the account.
    • Have access to the mobile phone linked with the account.
    • Know the correct answers to previously recorded secret questions.
  • Optionally, a second authenticator factor (e.g. Airlock 2FA) is involved.
  • Optionally, log out all persistently logged-in sessions (OAuth, remember-me).

Security Advisory

Enabling the password reset self-service may reduce the security of the whole system. Please check the security requirements of your solution before enabling this feature.

Some end-users use password reset to change an existing password (even if a password change self-service is available) after the existing password has been stolen or revealed to non-legitimate persons.

It is therefore good practice to log out all persistently logged-in browsers and devices (OAuth, remember-me features). This can be done by configuring the corresponding steps after setting the new password.