Reset authentication type based on number of times user has 'lost' authenticator
Currently, if user attempts login via authenticator and selects "lost authenticator" option, the system will simply send OTP via email as if authenticator didn't exist (they get a special message to tell them to reset)...
I feel this is prone to abuse, we should count the number of times a user has pressed this and change authentication type permanently after 5 times.