diff --git a/content/en/building/concepts/access.md b/content/en/building/concepts/access.md
index d5e8c96e7..7c3c76562 100644
--- a/content/en/building/concepts/access.md
+++ b/content/en/building/concepts/access.md
@@ -55,7 +55,20 @@ Users may log out by going to the options menu available in the top right corner
 
 {{< figure src="login-mobile.png" link="login-mobile.png" class="left col-3 col-lg-3" >}}
 
-{{< figure src="login-desktop.png" link="login-desktop.png" class="left col-9 col-lg-9" >}}
+{{< figure src="login-desktop.png" link="login-desktop.png" class="right col-8 col-lg-8" >}}
+
+### Password reset on first login
+
+**Added in 4.16.0.**
+
+To enhance the security of CHT applications, users logging in for the first time, or who have had their password reset, are prompted to change the password provided by the system administrator to their own strong password.
+
+{{< figure src="password-change.png" link="password-change.png" class="col-12 col-lg-12" >}}
+
+This feature will be enabled by default because it encourages best practices. However, only new users will be prompted to go through this flow or those users whose passwords have been reset by the system administration. 
+Projects can disable this feature by enabling the `can_skip_password_change` permission.
+
+Subsequent logins won’t require a password change – if the app closes before changing the password, the user will be prompted again when they reopen it. If a user is unable to update their password, they won’t be able to access the app.
 
 
 ## Magic Links for Logging In (Token Login)
@@ -79,8 +92,3 @@ With token login, the password is never known by the admin or the user because t
 {{% alert title="Note" %}}
 The magic link workflow will not work for users who want to use multiple devices or for multiple users on one device.
 {{% /alert %}}
-
-
-
-
-
diff --git a/content/en/building/concepts/access/password-change.png b/content/en/building/concepts/access/password-change.png
new file mode 100644
index 000000000..666cebaf4
Binary files /dev/null and b/content/en/building/concepts/access/password-change.png differ
diff --git a/content/en/building/reference/app-settings/user-permissions.md b/content/en/building/reference/app-settings/user-permissions.md
index 8d8d645c7..93ab04a03 100644
--- a/content/en/building/reference/app-settings/user-permissions.md
+++ b/content/en/building/reference/app-settings/user-permissions.md
@@ -71,6 +71,7 @@ Permissions can be assigned to user roles either directly in `base_settings.json
 | `can_view_old_action_bar` | Allows users to see the old action bar in Message Tab, Reports Tab and Contact Tab which is considered deprecated and will be completely removed in a future release. The More Options menu will be hidden when this permission is enabled. The Admin user will always see the new More Options menu. See [Feature Flags]({{< ref "building/guides/updates/feature-flags" >}}) for more info. |
 | `can_default_facility_filter` | Defaults the Place Filter in Reports tab to the user's associated facility. The user should have a contact associated that belongs to a facility. This feature is not available for Admin and Offline type of users. Use with caution, online users that can access thousands of reports can experience slow performance especially where the network is slow. Added in 4.3.  |
 |`can_have_multiple_places`| Allows users to be assigned more than one `facility_id`. Helps support health systems where offline Supervisors manage CHWs from different geographical areas. Each `facility_id` must be at the same level in the hierarchy. Added in 4.9.0 |
+|`can_skip_password_change`| Turns off the password change prompt for users logging in for the first time or who have had their password reset. Added in 4.16.0 |
 
 ### Code sample
 This sample shows how to define the `permissions` object in the `base_settings.json` file. Observe how `can_edit` permission has been associated to `supervisor_role` and `chw_role` user roles.