Two-factor auth is optional for all our users.

Due to the way two-factor auth works on Inboxen, it is possible to have multiple sessions open before enabling two-factor auth. If those sessions become compromised (maybe you logged into a friend's computer and didn't log out) it may be possible to take certain actions that our users may have assumed would be protected by two-factor auth. Depending on the timing, django-elevate may not ask for password confirmation if it thinks the user has just logged in.

Some actions that come to mind:

• Deleting your account
• Changing your password
• Deleting inboxes
• Deleting emails

django_otp's otp_required has a if_configured kwarg that can enforce two-factor auth only in the case that the user has two-factor auth enabled on their account.

Ironically, we already workaround the bug in django-two-factor-auth that prompted me to look into this 😆