Hi Mauricio,
Yes it is possible. My point is just that any one can know the user's email and decide to submit a password reset for them. It may not be malicious, but it is still not as secure as having to answer questions.
To change to email instead of user id, what you need to do is edit the forgotten password task (Maybe take a copy and change the link to your own task)
1. Change from using USER_ID to email
In the User Console, choose Roles and Tasks, Admin Tasks, Modify Admin Task.
Select the Forgotten Password task.
Click on The Search Tab
In the search screen for the Forgotten Password task, it also refers to a screen called the Forgotten Password Identify. You can edit this screen so that you replace the user id attribute with email instead.
2. Email the password
By default, the Forgotten Password task displays the temporary password in the User Console.
To configure the Forgotten Password task to email the temporary password:
In the Management Console, configure email notifications for the CA IdentityMinder environment.
In the User Console, choose Roles and Tasks, Admin Tasks, Modify Admin Task.
Select the Forgotten Password task.
On the Profile tab, click Business Logic Task Handlers.
The Business Logic Task Handlers screen opens. The BLTHGenerateTemporaryPassword handler should appear in the list of handlers.
Click the right arrow icon to edit the properties for the handler.
In the Property field, click the minus icon to delete the ShowPwdOnScreen property.
In the Property field, type in ShowPwdOnScreen again.
In the Value field, enter:
false
Click Add.
Regards,
Marline