When a customer forgets his password, he can request a new one from the storefront application. A new password is generated and sent out in an email using the EmailNewPassword_xx.vm template.
The temporary password is only valid for a configurable number of minutes (see above) and expires once this time has elapsed. If the customer uses it before it expires, he is redirected to the change password form immediately after logging in, and prompted to enter a new password.
If the customer attempts to use it after it has expired, a warning is issued, prompting the user to request a new temporary password.