István Bede
István Bede
I think fallback shouldn't be automatic. Let's assume the user has set both mechanisms and selected a preferred one (eg. TOTP) and then loses their phone. On the login page...
Now I see your point. Yes one option would be to block the change of email. How about separating the two email addresses? By default the MFA address would be...
Ok, I'll start then on this one this week with this approach
If this one is free to grab, I'd like to try to implement it this or maybe next week.