Hello Paolo,
Yes, that's a good flow.
Be aware that you can extend Sphinx users by creating your own descendant class and adding more information to it. This is explained here.
Thus, you can add fields that holds a flag if the user has ever logged in, or even a flag indicating password changing is required.