I second this feature request. I’ve also created a similar feature request, specifically to require their current password as a second factor in order to reset. This is in line with OWASP 4.0 ASVS 2.1.6 requirements - https://owasp.org/www-pdf-archive/OWASP_Application_Security_Verification_Standard_4.0-en.pdf
philrees
3
Related topics
| Topic | Replies | Views | Activity | |
|---|---|---|---|---|
| Reset password using SMS and not e-mail | 1 | 1308 | February 16, 2023 | |
| Reset password without URL | 4 | 62 | January 14, 2026 | |
| Provide a possibility to set default MFA factor for Classic Login | 1 | 814 | July 17, 2023 | |
| Enable Passwordless authentication using Authenticator, Auth0 Guardian , Duo Security etc | 1 | 1193 | October 27, 2022 | |
| Step-up authentication force MFA either on Phone message or Email | 0 | 2176 | January 13, 2022 |