For the first:
If it’s just end users that you’re worried about, I would build a ‘fake’ login screen for the project. That is, the Ignition project would automatically log in some ‘guest’ user or something similar, and have a simple window with a login/password and a submit button. Then you could use the system.security.switchUser function to check whether it’s a valid user. It would be pretty easy to add some scripting to that login window to ‘count’ the failed login attempts and then perform whatever other action you want.
For the second:
I would recommend a DB-driven user source. You could set it up in automatic mode to get the tables that you need for a basic structure, then change to manual mode and add a ‘temporary’ column to the authentication table. Thus, your validation (probably on the same pseudo-login screen) could check the value of that ‘temporary’ column, and immediately prompt the user for a new password upon logging in.