As a developer, I want to know the technical, security, and UX considerations for the password reset project, so that the CommTech team can properly prepare for the project.
* Investigate the technical and UX considerations of requiring both a username and email address to successfully generate a password reset request email
* Investigate how accounts with 2FA may be impacted by password reset changes and how we can maintain a smooth password reset process for them
* Investigate if we can have an email only reset option (i.e. no requirement of username). If yes, what would be the consequences (technical and UX)?
* Connect with Security team to determine if there are additional risks to take into account (note: we have had preliminary chats with Sam Reed in Security, but we should reach out again for this spike, if possible)
* Investigate what sort of logging may be helpful for Community Engagement or Anti-Harassment after this work is complete
* Query for what percentage of accounts:
** Don't have a confirmed email address?
** Have a unique confirmed email address?
** Have a confirmed email address shared by another account (and, if possible, details related to distribution -- for example, perhaps some emails have 100s of accounts?).