bburky
commented
2 days ago This is maybe ok, but we should think through it.
- Do we assume the user has MFA on their email, so we don't need to validate MFA here?
- Is this an intentional MFA reset method? password reset (which requires email re-verification) → log in to account → delete MFA?
If we don't think the answers to those are "yes", then we should require MFA during the reset flow.
Is your feature request related to a problem? Please describe.
Follow on discussion to this PR, at the moment the MFA is not required when a user resets credentials which opens a backdoor for them to access their account and reset the MFA as well.