IDM 4.0.1
User App 4.0.1
My clients requirement.

My client wants a kind of second level authentication for their external users.

Eg: When new or already existing user has been assigned a group entitlement (eg: "Finance" Group entitlement) then
1) we need to change those user password expiration from 90 to 45 days.
2) Prior to those users password expire (lets say 5 day before the password expire)we need to send a email notification to those users with UserApplication URL (UserApplication URL is a page with text area and submit button)
with some auto genrated security code or randam number.The users will click link, entered the security code and when they click submit it must validate secuirty code against edirectory and if it matches then
the password expiration date for that user should get extend to another 45 days.

Is this doable?
If it is doable how i can achive this scenario?

What i have in my mind is
Null driver to verify the "Finance" Group entitlement.
When "finance" group entitlement is assigned to an user, nulldirver will sends the email notification with User Application URL & a random generated number ( this random number will be stored in an attribute "SecCode").
The UserApplication URL will point to custom created page which has text area to enter the "security code" which will be send via email notification.
Once sumbitted it matches the Security code against the users attribute(SecCode)value. if succeed then it triggers nulldriver to extend the users password expiration date to another 45 days.

Let me know there is any other better way to handle this scenario