> If the user has 2FA enabled, is that also checked? I don't see any obvious
> mention of that in this MP, but I haven't tried running it so I might have
> missed something.
2FA is not checked before password change. It's something I considered, but on checking around (Google, Github, Dropbox), other sites don't seem to require it for a password change.
I guess you're already at '2FA' (ish) if you're in a position to be able to change someone else's password, you'd need a working session _and_ the current password.
> If the user has 2FA enabled, is that also checked? I don't see any obvious
> mention of that in this MP, but I haven't tried running it so I might have
> missed something.
2FA is not checked before password change. It's something I considered, but on checking around (Google, Github, Dropbox), other sites don't seem to require it for a password change.
I guess you're already at '2FA' (ish) if you're in a position to be able to change someone else's password, you'd need a working session _and_ the current password.