Code review comment for lp:~twom/canonical-identity-provider/confirm-password-before-changing

> If the user has 2FA enabled, is that also checked? I don't see any obvious
> mention of that in this MP, but I haven't tried running it so I might have
> missed something.

2FA is not checked before password change. It's something I considered, but on checking around (Google, Github, Dropbox), other sites don't seem to require it for a password change.

I guess you're already at '2FA' (ish) if you're in a position to be able to change someone else's password, you'd need a working session _and_ the current password.