Hello, How to prevent an intruder, once knowing the user password, resetting the user's authenticator secret and capture the new value? It seems allowing this negates the added value of the 2FA system. Is my understanding of the system incorrect? If not I could go for a solution where once the authenticator is setup it cannot be deleted without an admin action. I could also envision the 2FA setup to be a face-to-face operation involving the user going over to the admin desk with his phone. I thought I would ask here before hacking away at the source code. Sincerely, -- Antoine Delaunay