Pass a 2FA challenge (+ password?) before activating it

[Zykino]

Check the use know what he is doing before being locked out of his own CMS. All the websites I tryed asked me to pass a 2FA challenge before finishing the enabling process: Github, Discord...

[mahagr]

You can disable the setting by just editing your user from user/accounts folder.

[Zykino]

That's if have access to the machine, or setted up the git plugin. Someone may have setted me a Grav website, with the Admin plugin but no direct access to the host's filesystem.

Also there is the case of: I set up 2FA.

• Go to work. (no ssh keys registered for my personal blog)
• Oups, did not QRCode reader did not work well enough/using an other app but have another algo in fact.
• Have to wait until I get home again to change that.

I proposed this to have the same UX as other website. I do not think adding recovery is needed because of the file edition you pointed but maybe it's needed too.