What?

When we enable MFA (multi factor authentication), cozy doesn't request any confirmation. Here the list of problems:

• some users won't understand what this feature is and they'll lock them out of their cozy
• some users have a bad clock setup on their device / server and won't discover it before the next login when… they'll be locked out their instance

How?

Don't enable MFA until enter a valid code from their other device.
All major service use this scheme and can be used as an exemple: heroku, github, google, etc.