Add support for SMS/Push messages to augment email reset #208
Description
For forgot and passwordless login - add 2FA via SMS/google authenticator to augment the email link.
Much of the SMS framework is available from the 2FA work that was added.
For change password - require fresh login.
Also - NIST doesn't recommend email for things like this:
5.1.3.1 Out-of-Band Authenticators
Also - read: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x11-V2-Authentication.md
2.5.6 and V2.7
Other info:
Box - doesn't require any 2FA for either change password or forgot password. (uses email for forgot password).