What we need to keep in mind when looking at this feature is that the user, as he has forgotten his password, is unable to authenticate properly to FIM. So, the key problem with SSPR is how to authenticate the user.
Let's take an example.
Kent, our contractor, has forgotten his password. He then makes a request anonymously to FIM to reset the password of the user account Kent
. Well, FIM won't just do that! So, we tell FIM to try to figure out who the requestor is. We add an Authentication (AuthN) workflow, which gives Kent a chance to prove his identity. If the AuthN workflow proves to FIM that the requestor is indeed the user Kent
, it will allow Kent to reset his password.
In FIM 2010 R2, there are two built-in ways for FIM to find out who the user is—we can use either a Question and Answer (QA) gate or a One Time Password (OTP) gate.