keycloak-scim/docs/documentation/server_admin/topics/login-settings/forgot-password.adoc

[[enabling-forgot-password]]
== Enabling forgot password

If you enable `Forgot password`, users can reset their login credentials if they forget their passwords or lose their OTP generator.

.Procedure
. Click *Realm settings* in the menu.
. Click the *Login* tab.
+
.Login tab
image:images/login-tab.png[Login Tab]
+
. Toggle *Forgot password* to *ON*.
+
A `Forgot Password?` link displays in your login pages.
+
.Forgot password link
image:images/forgot-password-link.png[Forgot Password Link]
+
. Specify `Host` and `From` in the *Email* tab in order for {Project_Name} to be able to send the reset email.
+
. Click this link to bring users where they can enter their username or email address and receive an email with a link to reset their credentials.
+
.Forgot password page
image:images/forgot-password-page.png[Forgot Password Page]

The text sent in the email is configurable. See link:{developerguide_link}[{developerguide_name}] for more information.

When users click the email link, {project_name} asks them to update their password, and if they have set up an OTP generator, {project_name} asks them to reconfigure the OTP generator.  Depending on security requirements of your organization, you may not want users to reset their OTP generator through email. 

To change this behavior, perform these steps:

.Procedure
. Click *Authentication* in the menu.
. Click the *Flows* tab.
. Select the *Reset Credentials* flow.
+
.Reset credentials flow
image:images/reset-credentials-flow.png[Reset Credentials Flow]
+
If you do not want to reset the OTP, set the `Reset - Conditional OTP` sub-flow requirement to *Disabled*.
. Click *Authentication* in the menu.
. Click the *Required actions* tab.
. Ensure *Update Password* is enabled.
+
.Required Actions
image:images/reset-credentials-required-actions.png[Required Actions]