We apologize for the instability of composr.app and appreciate your patience. We are working on the statistics addon and trying to find an optimal way to store and render data. Unfortunately, we have yet to find a solution that can handle the traffic (and therefore, tens of millions of statistical records) of composr.app. We're working hard on one.
I think it is better we just have 2FA to include the lost password form. If someone has enabled 2FA they have to successfully go through 2FA (be it SMS code, Google Authenticator,, or a recovery code), to do a password reset. If they can't do that, they can talk to an admin about regaining access.
No need to have multiple tangential approaches to security. Best to center around one set of very well implemented concepts.
Just to be clear, this would be a 2FA reset. So they'd have the SMS/Google Authenticator/Recovery code factor COMBINED with the email factor. Instead of the current single factor reset, which is just email.
No need to have multiple tangential approaches to security. Best to center around one set of very well implemented concepts.