Require staff to provide password when changing 2FA setting
When you edit the 2FA setting, you should need to provide a password. In other words, the second password field should have the required
attribute removed and the first one should be checked server-side when changing the 2FA setting.