Try several options:

1. Create a "password_expire" column in the database in the users table. When registering, we put the current date + 90 days there (or as long as you need). We also add a "blocked" column and set everything there to false. We are writing a script that pulls from the database all users whose password_expire is equal to the current day, and sets them to true in blocked. We make cron this script so that it runs once a day. After that, we supplement the authorization script so that when entering it, it checks the value of blocked. If it is true, then we throw on the page where we inform about the need to change the password, and require a new password. After a successful change, set blocked to false and password_expire to the current date + 90 days;
2. Add the password_expire column to users, where we set today + 90 days. Again we write the handler. If password_expire is the current date, then send the user an email with a link to the password change page;
3. All the same password_expire and blocked, but more humane: just at the beginning of the page we hang a block with a password change notification and do not remove it until the password is changed and, accordingly, blocked becomes false.

Everything is very bad. This system is completely insecure. The user should simply be prompted to change the password immediately after logging in with the old password. What you have now is a scam.