2FA status in users endpoint (when authing as the user)
We third party dev's often build tools that assist with moderation actions/services for broadcasters.
We tell Moderators to enable 2FA, but we have no way to check it.
It would be useful to block Logins to our tool if 2FA is not enabled. But 2FA data is not surfaced in the API and there's no way to require a User to be 2FA during the login/oAuth loop.
I'd like to see the users endpoint(s) provide 2FA status.
I expect this to be behind the user read or openID scopes.
openID allows email verified. Why not 2fa status (for example)
Worth noting that Discords floats "mfa_enabled" in it's user API so we have precedent.
I would agree it is a security risk to provide a flag in a user object whether or not they have 2FA enabled. However, I think it's possible for this use case to be realized without exposing the risk if we provided developers a way to require 2FA when authenticating to their application. As such, I will move this back into into "under consideration" given this approach while we discuss further.(Edited by admin)