According to Is there an automated MFA reset process?, there isn’t a way for end users to do self-service MFA reset. Instead, Auth0 provides API that I can use to build a reset feature myself. My security concern about doing that is: why didn’t Auth0 provide that feature out of the box? Isn’t being able to log in using a recovery code enough to prove who the user is? What are the security concerns that prevent Auth0 from making such MFA reset feature?