Open UnicornChance opened 1 week ago
Follow on discussion to this PR, at the moment the MFA is not required when a user resets credentials which opens a backdoor for them to access their account and reset the MFA as well.
This is maybe ok, but we should think through it.
If we don't think the answers to those are "yes", then we should require MFA during the reset flow.
Is your feature request related to a problem? Please describe.
Follow on discussion to this PR, at the moment the MFA is not required when a user resets credentials which opens a backdoor for them to access their account and reset the MFA as well.