Hello Steve,
Thanks for showing the interest ! I am excited to know that application is useful for the community.
Regarding the Forced Re-Authentication of users, I have written specific code to clear out the LTPAToken/Existing session information from cookies and ensure that user has to login again before reaching the Profile Registration page. Also, if a user tries to access the Registration page directly via URL, in that scenario, the application will redirect him to Homepage, as direct URL access will not provide the required Scope variables. Thus, application won't allow any unauthorized attempt to profile page and changing the secret question/answers without re-authentication.
If you need more details, I'll recommend please review the source code of xpValidateUser XPage and ccHome Custom Control in the application design.