diff --git a/common/models/user.js b/common/models/user.js
index 15059562..a8c448d9 100644
--- a/common/models/user.js
+++ b/common/models/user.js
@@ -559,11 +559,12 @@ module.exports = function(User) {
   };
 
   /**
-   * Create a short lived acess token for temporary login. Allows users
+   * Create a short lived access token for temporary login. Allows users
    * to change passwords if forgotten.
    *
    * @options {Object} options
    * @prop {String} email The user's email address
+   * @property {String} realm The user's realm (optional)
    * @callback {Function} callback
    * @param {Error} err
    * @promise
@@ -589,7 +590,13 @@ module.exports = function(User) {
     } catch (err) {
       return cb(err);
     }
-    UserModel.findOne({where: {email: options.email}}, function(err, user) {
+    var where = {
+      email: options.email,
+    };
+    if (options.realm) {
+      where.realm = options.realm;
+    }
+    UserModel.findOne({where: where}, function(err, user) {
       if (err) {
         return cb(err);
       }
diff --git a/test/user.test.js b/test/user.test.js
index 1c3806f7..402de3d2 100644
--- a/test/user.test.js
+++ b/test/user.test.js
@@ -20,6 +20,8 @@ describe('User', function() {
     email: 'foo1@bar.com', password: 'bar1', emailVerified: true};
   var validCredentialsEmailVerifiedOverREST = {
     email: 'foo2@bar.com', password: 'bar2', emailVerified: true};
+  var validCredentialsWithRealm = {
+    email: 'foo3@bar.com', password: 'bar', realm: 'foobar'};
   var validCredentialsWithTTL = {email: 'foo@bar.com', password: 'bar', ttl: 3600};
   var validCredentialsWithTTLAndScope = {
     email: 'foo@bar.com', password: 'bar', ttl: 3600, scope: 'all'};
@@ -1924,6 +1926,58 @@ describe('User', function() {
             done();
           });
       });
+
+      describe('User.resetPassword(options, cb) requiring realm', function() {
+        var realmUser;
+
+        beforeEach(function(done) {
+          User.create(validCredentialsWithRealm, function(err, u) {
+            if (err) return done(err);
+
+            realmUser = u;
+            done();
+          });
+        });
+
+        it('Reports when email is not found in realm', function(done) {
+          User.resetPassword({
+            email: realmUser.email,
+            realm: 'unknown',
+          }, function(err) {
+            assert(err);
+            assert.equal(err.code, 'EMAIL_NOT_FOUND');
+            assert.equal(err.statusCode, 404);
+
+            done();
+          });
+        });
+
+        it('Creates a temp accessToken to allow user in realm to change password', function(done) {
+          var calledBack = false;
+
+          User.resetPassword({
+            email: realmUser.email,
+            realm: realmUser.realm,
+          }, function() {
+            calledBack = true;
+          });
+
+          User.once('resetPasswordRequest', function(info) {
+            assert(info.email);
+            assert(info.accessToken);
+            assert(info.accessToken.id);
+            assert.equal(info.accessToken.ttl / 60, 15);
+            assert(calledBack);
+            info.accessToken.user(function(err, user) {
+              if (err) return done(err);
+
+              assert.equal(user.email, realmUser.email);
+
+              done();
+            });
+          });
+        });
+      });
     });
   });