I would like to have two factor authentication on the reset password page. If user is enrolled in SMS/Voice or any other factor, it would be great if the password reset page requires the user to enter an OTP too, to increase the security in this flow.
Thanks for advocating for that. Let’s see how many people from community will be interested in such feature as well.
1 Like
I second this feature request. I’ve also created a similar feature request, specifically to require their current password as a second factor in order to reset. This is in line with OWASP 4.0 ASVS 2.1.6 requirements - https://owasp.org/www-pdf-archive/OWASP_Application_Security_Verification_Standard_4.0-en.pdf