Introduction
The Self-Service Password Reset has got to be one of the most used features of RES ONE Identity Director (previously RES ONE Service Store/RES IT Store). It allows a user to reset his/her Active Directory user account password without assistance from the IT organization. This is possible on a 24/7 basis, so even in the evening or the weekends the user can use this service.
While this is very useful service, you should think about the security implications. Since the user apparently cannot login the RES ONE Identity Director site he/she should be to open the site from an untrusted network like the internet. But this would imply that everyone with internet-access can change the password of a user account as long as the username is known. So how to verify that the user requesting the service is actually the user in question?