In System → CP Users, the option ‘Two-factor authentication: email’ is available when creating an new admin user, although this type of account has no client record and no email address can be defined in this form. There is no field to specify or verify which email address would be used for this authentication method. In this context, the behaviour of this option is not clear. Is this the intended behaviour? If not, possible approaches could be: —hiding this option for admin users; —allowing an email address to be defined here; —or displaying an explicit warning.
