Hi everyone!
I am sorry about the delayed response to the inquiry!
Unfortunately, there isn’t an out of the box solution regarding resetting the MFA and removing the recovery codes after such a login.
As an alternative, I would suggest to create a WebHook which detects if the log type sercft (Successful exchange of Password and MFA Recovery code for Access Token) has been triggered on the respective login and then to delete the authenticators as mentioned in this knowledge article.
Kind Regards,
Nik