SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).

SuperTokens.com

Is there support for mandatory password changes based on time? For example, requiring someone to change their password every 6 months?

hey! you can customise your way through making something like this

That makes sense, I was just wondering if it's possible

you can customise your way through making something like this. You would need to keep track of the last password change time in your own db (can update this value in sign up and change password APIs)

And then when a sign in attempt happens, you can check if the password update time was > 6 months, then reject the request with an error message saying to change the password first.

you can also override the refresh APi to cehck if the last password update time was > 6 months, then revoke the session.