If the user cannot remember the password, a new password can be chosen with this self-service.
- In order to do so, the user must usually provide (example):
- The username or alias.
- One of:
- Have access to the email account linked with the account.
- Have access to the mobile phone linked with the account.
- Know the correct answers to previously recorded secret questions.
- Optionally, a second authenticator factor (e.g. Airlock 2FA) is involved.
- Optionally, log out all persistently logged-in sessions (OAuth, remember-me).
Security Advisory
Enabling the password reset self-service may reduce the security of the whole system. Please check the security requirements of your solution before enabling this feature.
Some end-users use password reset to change an existing password (even if a password change self-service is available) after the existing password has been stolen or revealed to non-legitimate persons.
It is therefore good practice to log out all persistently logged-in browsers and devices (OAuth, remember-me features). This can be done by configuring the corresponding steps after setting the new password.