Hi all,
I have problem with setting up re-authentication for two-factor authentication application removal. For master realm in user account page and also on user > user details > credentials. By default I can remove 2FA device or disable OTP check in browser flow without asking for credentials which is making possible to take control over the account if someone not authorised get access to account. Which is why I am looking for way to ask for password or password and token from app before user can disable or remove OTP
Michal