Retain MFA trust during password reset

[jobannon]

Problem

When I attempt to change a password on a user that has MFA enabled, we will "step up" MFA the user and ask that they complete MFA. If the customer asks that this device be trusted at that time of MFA (before password change), this trust does not carry over during the password reset operation. In other words, at the next login, a user will be prompted to input MFA again.

1. MFA required policy for application/tenant
2. User changes password using forgot password workflow and has link to change password emailed to them
3. User clicks on link
4. FusionAuth will "step-up" to prove that the user can change their password and ask that the user completes an MFA challenge
5. User enters MFA challenge info and asks that their MFA step up be remembered (trust this device checkbox)
6. User logs out (oauth2/logout)
7. User re-authenticates to the same application, but will have to re complete MFA challenge. If they select remember device at this time,, then we will retain this trust.

Solution

Retain MFA trust through password change workflow in hosted pages.

Additional context

Add any other context or screenshots about the feature request here.

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

Related

#2123