Comment by mooreds

Yeah, this is the best practice. We offer that in our product.

But it's possible that you could follow the best practice and still force a reset. This could be because:

* the customer or provider doesn't want to wait for everyone to log in

* they've waited for N months and now there is a block of users who have not logged in yet and they think it is worth the user annoyance to just force them all to reset their password