When a user has configured 2FA on their account, any password-resets should still prompt for the configured 2FA device for its code to be entered. When a system/application doesn't, we would consider this as a weak 2FA implementation.
Pre-requisites: A Malicious Actor has access to the Victims OTP on password-reset.
Given the high impact if abused but high attacker-complexity, this would be rated at P4.
When a user has configured 2FA on their account, any password-resets should still prompt for the configured 2FA device for its code to be entered. When a system/application doesn't, we would consider this as a weak 2FA implementation.
Pre-requisites: A Malicious Actor has access to the Victims OTP on password-reset.
Given the high impact if abused but high attacker-complexity, this would be rated at P4.