- MFA recovery codes handling
- OAuth2 -> support refresh tokens
- Traps -> not clearing trust?