After receiving the password reset email and clicking the "Click Here" hyperlink, user is brought to a page that gives the minimum requirements for a new password and a button that says "Reset Password" but when you click that button it just returns you to the Expired or Forgotten Password page without ever giving them an opportunity to reset their password.
The link in the email contains a one-time token meaning that if anyone goes to that specific URL the link will no longer work and the user is redirected to the password reset request page instead. On investigating this issue, we have found that McAfee Antivirus contains a default setting called ClickProtect which validates the URL but at the same time expends the one-time token. Other antivirus software may have a similar feature.
Solving the Problem with VON's Assistance:
The simplest solution is to request a manual password reset from the Vermont Oxford Network. A temporary password will be issued manually by our staff. This password should be used to login and update your password as soon as it is received and will expire in 24 hours.
A More Permanent Solution?
Per McAfee's own discussion thread on the subject there is no global allow-list to add our domain and the Sender Allow list does not affect ClickProtect. The only solution they offer is to disable ClickProtect. Our understanding is that McAfee intends to address this issue in a future release, but that update will be on that vendor's timeline.
Other Possible Causes:
A similar problem has been observed by users of Internet Explorer 9. The recommended solution is to use an up-to-date version of an alternate browser such as Chrome or Firefox. Support for all versions of Internet Explorer other than Internet Explorer 11 has been discontinued by Microsoft.
We are also finding that the Proofpoint URL Defense feature will actually change the URL which will also break the one-use token. If you are running into this issue your IT department can white list our IP address in that program. Please contact us directly for our public IP address.