I am in the process of developing a web-application which requires MFA on every login. (On the first login, before you can do anything, you are forced to setup MFA. Due to monetary restrictions and development time restraints, the MFA chosen is a simple TOTP solution, but in the future I may include other providers such as Authy.
In the process of developing the Password Recovery flow, I thought that if someone forgot their password, they most likely forgot/lost their MFA as well. In your experiences, is this assumption correct? What is the “best practice” here? Do I reset the MFA along with the password on password recovery, or do I force the user to authenticate through another method in order to have their MFA reset?