Looking at the weakness of the password hint contents and because there is no way to turn that feature off is there some way I can force users to use a different email address than their account email for the Email 2FA challenge?
Idea here is all employees have a company phone and I can send that Email 2FA challenge to the SMS email gateway to turn it into a text. Or send it to our service manager and have users go through him.
Or at a minimum can I audit this and see their Email 2FA address and enforce this myself?