Require Two-Step verification to change Two-step verification options


Well-known member
If a TFA trusted device is compromised and the attacker has access to the password he can change (or completely disable) Two-step verification for the account.

To mitigate this, it would IMHO be useful to require the password and Two-step verification for the session before Two-step verification options can be changed.
Upvote 5
I would think this would be a basic requirement when the user is wanting additional security steps. Simple reliance on the password is NOT enough if one has gone to the extent to enable additional security features.
Personally.. I REALLY wish XF would enable passkey ability natively also.
Top Bottom