The gist is that I want to force MFA on ALL devices/browsers/contexts after successfully completing the Forgot Password (verify security question) API call.
I figure the quickest way to achieve this would be to delete all deviceTokens associated a given user. Is this possible?
Scenario:
I use my web app in Chrome and Edge. Both browsers have a UUID deviceToken cookie stored to bypass MFA on the trusted device.
I complete the Forgot Password (verify security question) process in Chrome. The app destroys the deviceToken cookie, triggering MFA on the next login using Chrome. So far so good.
The gap I am trying to bridge is how to require MFA during the next login using Edge (really, all other trusted devices).