The current email/password authentication provider only really works for users that self-register. In the case where user access needs to be controlled, a user can be created via registerWithEmail(), but the new user needs to first confirm their email address and then trigger a second email that resets their password. This extra step is unusual and adds no security benefit to users.

It would be most useful to allow a user profile to be flagged with a "password change required on login" attribute. An administrative user could setup the new user via registerWithEmail() which would trigger the email confirmation (as currently done). After the new user confirms their email address and logs in, the user would then be required to set a new password. This assumes the admin user communicates the temporary password to the new user, but this is a fairly common scenario across most systems today.