MiriamP

I just activated 2FA with an Authenticator app. The flow was not-very-straightforward - I can't reproduce exactly, but there was at least one loop in it because the email arrived on mobile while I was doing my changes on desktop. But in the end, after two tries, I had it activated. I then decided to change my password, as it was old. Two strange things happened: - to had to enter my old password, then my new password, twice, then press Next. Then I had to reconfirm the change, again, using the old password. For anyone who uses a password manager that you can have update immediately (something you want!), this is pretty terrible, because the old password has then been, you guessed it, overwritten. I also can't remember in a password changing flow having to reconfirm with the old password after the password has changed. Does this seem strange to anyone else? So, I lost my brand new password because of this. - I then requested a password reset. I got a reset option sent by mail. When I used it, on desktop, I fully expected to be asked to Authenticate. I just activated 2FA, after all. I wasn't asked to authenticate a password change at all. I tried again on mobile - same deal, no authentication asked. The only explanation I can think of is that authentication lasts an x amount of time, and I'd turned it on only 30 minutes before that, but I'm not sure this should be a thing. I would expect any and all password changes, especially, to need authentication. Is there an idea behind this? Thanks.