- MFA recovery codes handling
- Forgot password handling
    - Admin password reset mechanism -> flag users as needing PW resets
- OAuth2 -> support refresh tokens
- Traps
    - Allow setting user trap from web UI
    - Don't allow external logins if trap is set
- Trust token page -> force username of current user