Changing Email/Password doesn't require 2FA/MFA it should be required
SymphonyVR
When you try to change your Email it completely ignores your phone 2FA. That could lead into unexpected person changing your Email or password if they have your log-in of the webpage (e.g you forgot to logout).
Expected:
When you change your Email and phone 2FA is enabled, it should ask for your phone 2FA or recovery code so the procedure can be done
When you change your password, it should ask for phone 2FA, email verification or recovery code so the procedure can be done.
Log In
DustyKion
I didn't even realise this was a thing, i feel like you shouldn't be able to just.. do that, 2FA/MFA should definitely be required here, that feels like a huge security risk no?
MrMoth1
This is super concerning and should be fixed
Slone Fallion
This is an extremely important concern. Allowing someone to change the password or email without 2FA means that person will be effectively be locked out of their own account until
and if
support is able to restore it to the original account holder. Isn't this exactly what 2FA is supposed to prevent against? All the attacker needs is the current password and a previously authenticated session, possibly even weeks old.