QBO 3 enables users to request password resets, and allows security administrators to issue a password reset on behalf of a user. A password reset uses email as a side channel to issue a one-time token to allow the user to choose their new password:
Note that QBO 3 intentionally does not allow administrators to choose a password for an end user, as this violated the OWASP best practices for forgotten passwords.
The security module has the ability to force the user to change their password at login. Update Person.ForcePasswordChange to true and the next time the user tries to login a section for changing their password will be rendered. The system validates the user against their old password prior to allowing the password to be changed.
The IPerson interface includes the new ForcePasswordChange. While making this change the interface was also extended to include LicenseAccepted and Lockout. Since Lockout and ForcePassword change are now part of IPerson their values can be directly accessed by looking at User.
Login.ashx - ProcessRequest checks to see if the Operation being processed is a public method. If the operation is not public, it does a check to ensure we are authenticated prior to processing the request. New method for ForcePasswordChange was created here also.