Users establish their identity, without using their forgotten or disabled password, by answering a series of personal questions, using a hardware authentication token, responding to a notification e-mail or, less often, by providing a biometric sample such as voice recognition.
Self-service password reset expedites problem resolution for users "after the fact", and thus reduces help desk call volume.
While users are frequently reminded never to reveal their password, they are less likely to treat as sensitive the answers to many commonly used security questions, such as pet names, place of birth or favorite movie.
Self-service password reset technology is often used to reduce this type of vulnerability, by introducing stronger caller authentication factors than the human-operated help desk had been using prior to deployment of automation.
In September 2008, the Yahoo e-mail account of Governor of Alaska and Vice President of the United States nominee Sarah Palin was accessed without authorization by someone who was able to research answers to two of her security questions, her zip code and date of birth and was able to guess the third, where she met her husband.
Many web based systems not using single sign on allow users to send a password reset link to their registered email address or phone number.
However, many large social media platforms reveal a part of a user's email address and some of the phone number digits when using the 'forgotten password' function.
Advanced SSPR software requires the user to provide a mobile phone number or personal e-mail address during setup.
There are various approaches to addressing this Catch-22, most of which are compromises (e.g., desktop software deployment, domain-wide password reset account, telephone access, visiting a neighbour, continuing to call the help desk, etc.).