In some cases we want to be able to force a user to change their password before they can log in again, for example if they've been identified as a victim of a credential stuffing attack.
Right now we can invalidate all open sessions and force a new login, but that won't stop the attacker simply logging in again with the compromised password.
Ideally they wouldn't be able to choose the same password again when they go through this mandatory change flow.
Rob W
