you should recreate the token, not reset it - reset preserves the history, retry count, failed attempts etc, so with a new user, you really want to clear that and start again.
so, create them a new token.
If it's a completely new user though, maybe you do want to recreate them - after all, why would you want the audit from one user to persist into anothers?
All good security guides would tell you to create a unique user for every person to make sure you had a proper audit trail.
Thanks for the reply. Our usual practice is to create a brand new password token. And I do recreate the account when necessary. Is it normal to re-create the account when needed?
no - I can't think of a good reason ever to recreate an account, well, perhaps if you fired someone, then hired someone different and gave them the same user id maybe..