diff --git a/app/forms/security_event_form.rb b/app/forms/security_event_form.rb
index 0b0e983d310..96a21221b97 100644
--- a/app/forms/security_event_form.rb
+++ b/app/forms/security_event_form.rb
@@ -43,7 +43,8 @@ def submit
         occurred_at: occurred_at,
       )
 
-      if event_type == SecurityEvent::AUTHORIZATION_FRAUD_DETECTED
+      if event_type == SecurityEvent::AUTHORIZATION_FRAUD_DETECTED &&
+         IdentityConfig.store.reset_password_on_auth_fraud_event
         ResetUserPassword.new(user: user).call
       end
     end
diff --git a/config/application.yml.default b/config/application.yml.default
index 8503564fd94..4a1c07eb8aa 100644
--- a/config/application.yml.default
+++ b/config/application.yml.default
@@ -279,6 +279,7 @@ requests_per_ip_period: 300
 requests_per_ip_track_only_mode: false
 reset_password_email_max_attempts: 20
 reset_password_email_window_in_minutes: 60
+reset_password_on_auth_fraud_event: true
 risc_notifications_local_enabled: false
 risc_notifications_active_job_enabled: false
 risc_notifications_rate_limit_interval: 60
diff --git a/lib/identity_config.rb b/lib/identity_config.rb
index c1431c0d9de..fbd3fb1e8ed 100644
--- a/lib/identity_config.rb
+++ b/lib/identity_config.rb
@@ -403,6 +403,7 @@ def self.build_store(config_map)
     config.add(:requests_per_ip_track_only_mode, type: :boolean)
     config.add(:reset_password_email_max_attempts, type: :integer)
     config.add(:reset_password_email_window_in_minutes, type: :integer)
+    config.add(:reset_password_on_auth_fraud_event, type: :boolean)
     config.add(:risc_notifications_active_job_enabled, type: :boolean)
     config.add(:risc_notifications_local_enabled, type: :boolean)
     config.add(:risc_notifications_rate_limit_interval, type: :integer)
diff --git a/spec/forms/security_event_form_spec.rb b/spec/forms/security_event_form_spec.rb
index 1b2260adb1d..4056c01d4d0 100644
--- a/spec/forms/security_event_form_spec.rb
+++ b/spec/forms/security_event_form_spec.rb
@@ -70,8 +70,30 @@
     context 'for authorization fraud events' do
       let(:event_type) { SecurityEvent::AUTHORIZATION_FRAUD_DETECTED }
 
-      it 'resets the user password for authorization fraud detected events' do
-        expect { submit }.to(change { user.reload.encrypted_password_digest })
+      context 'reset_password_on_auth_fraud_event is enabled' do
+        before do
+          allow(IdentityConfig.store).to(
+            receive(:reset_password_on_auth_fraud_event).
+            and_return(true),
+          )
+        end
+
+        it 'resets the user password for authorization fraud detected events' do
+          expect { submit }.to(change { user.reload.encrypted_password_digest })
+        end
+      end
+
+      context 'reset_password_on_auth_fraud_event is disabled' do
+        before do
+          allow(IdentityConfig.store).to(
+            receive(:reset_password_on_auth_fraud_event).
+            and_return(false),
+          )
+        end
+
+        it 'does not reset the user password for authorization fraud detected events' do
+          expect { submit }.to_not(change { user.reload.encrypted_password_digest })
+        end
       end
 
       it 'creates a password_invalidated event' do