The gist is that I want to force MFA on ALL devices/browsers/contexts after successfully completing the Forgot Password (verify security question) API call.
I figure the quickest way to achieve this would be to delete all deviceTokens
associated a given user. Is this possible?
Scenario:
I use my web app in Chrome and Edge. Both browsers have a UUID deviceToken
cookie stored to bypass MFA on the trusted device.
I complete the Forgot Password (verify security question) process in Chrome. The app destroys the deviceToken
cookie, triggering MFA on the next login using Chrome. So far so good.
The gap I am trying to bridge is how to require MFA during the next login using Edge (really, all other trusted devices).