I want to close this ticket for now, as we will unlikely implement this in the near future as this is a low priority for us because of the following reasons:
2. It is difficult to provide a generic solution for this task that meets everyone's needs, as there are many people who implemented custom security classes tailored to their own needs and business processes;
We provide two examples that show how to approach this task in an XAF ASP.NET WebForms app:
How to: Use Google, Facebook and Microsoft accounts in ASP.NET XAF applications (OAuth2 authentication demo)
How to manage users (register a new user, restore a password, etc.) from the logon form in ASP.NET.
We recommend the first example over the second one as authentication providers like Office 365 or G Suite already have the "forgot password" and related features built-in (learn more: one, two) and you will just need to link them to your XAF app.
I hope you find this information helpful.