|
|
|
|
|
|
by Buge
2811 days ago
|
|
|
2FA is usually to protect you against your password being stolen. If that's the only threat model, then it's fine to allow 2FA to be disabled without a new 2FA code, as long as it's from a device that has entered a 2FA code at some point in the past. There are other potential threat models though that would require a re-enter of the 2FA code to be safe, such as cookie theft, or temporary computer compromise. Both of these though seem less likely of attacks. |
|
|