Hi Johann, I think here we are talking about two different things. Feel free to correct me if I am wrong.
In the first case, we are trying to assert the value of the claims provided by the user. In the case of phone number and email claims sending verification code does make sense but to assert the first name or last name sending verification code to email or phone doesn't give enough assurance(usually photo ID proof is needed to verify names). What you are talking about is getting enough assurance level for the authenticated user by prompting 2FA to be able to update security questions. This should be handled by auth system not the claim verification system. Thanks, Ajanthan.
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
