Open latin-panda opened 4 days ago
This feature is enabled based on permissions
Once the MVP is proven then reset password will be mandatory for all projects so we can ensure all users on all instances are not compromised in future. Until then it's fine to use a feature flag so projects can opt-in to try it out.
Subsequent logins won't require a password change.
One addition to this, is the user loses their phone, or forgets their password and the administrator resets it for them, then the user will be required to change their password again. This is because the password has almost certainly been shared in plaintext so it's once again vulnerable to future leaks.
Is your feature request related to a problem? Please describe. System admin users create accounts for CHWs and then share the password with them. To enhance the security of these accounts, there should be a way to prompt a password change on the first login.
Describe the solution you'd like On the login page, create a feature to change the password with the following considerations:
change_password_first_login
)[Designs on the making, to be updated here soon]
The scope of this work is to enable changing the password on the first login. It doesn't include changing the password rules or current authentication mechanisms.