AlexCuse
commented
10 months ago I think I addressed the main issues @cainlevy take a look.
I am about tired of looking at this PR think it is good to go at this point. I'm happy to do a follow up to clear the TOTP secret on ExpirePassword admin action. We can write up issues for that and the 3 improvements you identified and tackle in bite size chunks from here I think. Happy to let this sit in main awhile before releasing to give time for those + finish building up the new demo I'm working on.
Final note I think that I can't really find a place for in the changeset is that there should be a private API that can be used by back office tooling to remove the MFA secret. Its common to see MFA enrollment used in account takeovers as a way to buy the attacker time.
I would be happy to just include this as part of the existing
ExpirePasswordfunctionality but open to arguments for a dedicated endpoint.