REQ.131 Deny multiple password changing attempts
Passwords are not allowed to be changed more than once in the same day.
OWASP-ASVS v3.1-2.8 Verify all identity functions (e.g. forgot password, change password, change email, manage 2FA token, etc.) have the security controls, as the primary authentication mechanism (e.g. login form).