Implementation checklist

Do you check that the user has verified their second factor before they can reset their password?
Are users with a registered second factor that aren't 2FA-verified blocked from privledged actions, including changing passwords, viewing the recovery code, registering a new TOTP credential, and generating a new recovery code?