Originally Posted by
josephstern
But that could have been a month ago that I logged in via two-factor. The cookie remembered me, right? Now, anyone who sits at my desk can open AW, go into settings, and turn off two-factor, without first re-authorizing with two-factor.
How can that be? He just said
"On top of that, we also ask for your AwardWallet password to disable two-factor auth." Sounds like cookies alone wouldn't allow that.