Users are prompted for their passphrase when they reset their own password with SecureLogin installed in LDAP mode connecting to Active Directory
The entire process is dependent on slcredman. This component is a credential manager which is registered with the Operating System during Secure Login installation. When a user logs in, is is notified via a call to NPLogonNotify and is passed that users' username and password. If the users' password has changed during the login process (forced change due to password expiration) the users' old password is also passed.
If a user changes their password once they are logged in (Ctrl + Alt + Del and clicks "Change Password") slcredman will be notified via a call to the NPPasswordChangeNotify method and the users' old and new passwords are passed in.
When a user has just logged in, slcredman writes the username and password to the registry. When the users' password has changed, it also writes the old password to the registry and explicitly notifies the Broker (slbroker.exe) If the Broker is running at this time, it will have created the event and will be ready to handle it. If the Broker is not running, the event will not exist and slcredman will not set it. In this case, when the Broker starts and reads the registry; it will notice that a password change has occurred and handle it at that time.
Since slcredman does not apply in a published desktop scenario; the above process does not detect the password change and bypass authentication via the passphrase.