I'm currently implementing 2FA and ask our users that login with their email/pass to enter their code when 2FA is enabled. This is all good.
But I also offer a "I forgot my password" access that sends a one-time login link by email to the user when the email entered matches the account we have.
Now, I wonder if it is important to also ask for the 2FA code when the user clicks that link since, by default, his email account should be secured.
So, when clicking on the link received by email, should I ask for the 2FA token before allowing access to his account, or should I redirect them directly into their account since "email is safe enough" ?
Thank you for your input.