Skip to content

Configuring User Authentication for Password Resets

You can configure which authentication methods are available to different types of users when they reset their passwords or unlock their accounts. Because different user populations might present different levels of risk to your organization, you can control their options based on the identity profile they belong to. For example, you might want to have the full set of options for employees but a single option for contractors.

Password Reset and User Unlock Method Configuration

You can configure how users are able to reset their passwords and unlock their accounts by selecting the preferred methods in the Identity Profile.


If you do not see these options, you will need to opt into the updated Password Manager experience where password resets and unlocks are managed by the choices you make in the password reset and user unlock methods, as opposed to strong authentication methods.

Using External Authentication for Password Resets and Account Unlocks

If you are using IdentityNow as your service provider, you can choose to use an external IDP to perform MFA.

You must select the sign-in method and authentication source in the Identity Profile:

  1. Go to Admin > Identities > Identity Profiles.
  2. Under Sign-in Method, select Directory Connection.
  3. Select the Authentication Source that matches the source configured in your IDP. This feature only works if the identifying characteristics match in both the directory and IdentityNow.
  4. Under Password Reset and User Unlock Methods, select By authenticating with an external identity provider to allow multi-factor authentication with the external identity provider you use. When you select this option, the other options will be disabled.

When enabled, if a user tries to reset their password or unlock their account, they will be directed to their external IDP to authenticate using passwordless MFA (such as receiving a push verification to the user’s phone). After the IDP verifies their identity, they are sent back to IdentityNow to reset their password or unlock their account.