Request 2fa code to disable 2fa
Currently, you can disable 2fa at the click of a button as long as you are logged in.
Should we request a current 2fa/recovery code to authorize the disable?
You can see a similar flow with the Dashlane password manager.
rymai has this been discussed already?
Edited by Luke Bennett