[MFA] Add setting for disabling reauthentication
mecampbellsoup opened this issue · 1 comments
mecampbellsoup commented
I was surprised to discover that ACCOUNT_REAUTHENTICATION_REQUIRED
does not apply to MFA behavior, so there's no way to disable requiring reauthentication when a user seeks to turn MFA on.
Is this intentional or just a result of the MFA stuff being fairly new?
pennersr commented
This was intentional. Turning on/off MFA is a very security sensitive step -- you can get completely locked out of your account if somebody turns it on for you while you are grabbing a coffee. Requiring reauthentication for the regular account management pages is less problematic and also fairly non-standard, which is why that is put behind a setting.