Untitled

Impact
Although no direct impact has been observed yet, the ability to remove all MFA devices is against the intended application behavior, where at least one MFA device should remain mandatory. This unintended functionality weakens the security posture of the application by deviating from best practices for multi-factor authentication. It creates a potential risk where users or attackers could temporarily disable MFA, leaving accounts exposed to unauthorized access during that period. Such behavior contradicts the security principles of maintaining continuous MFA enforcement and should not be allowed.