Comment by necovek
It defeats the purpose of the first S in "SSO": it's not a Single Sign-On, and for Sue in GP's example, after losing access to her MFA, she can't access federated service data, nor can the domain operators restore her access.
It defeats the purpose of the first S in "SSO": it's not a Single Sign-On, and for Sue in GP's example, after losing access to her MFA, she can't access federated service data, nor can the domain operators restore her access.
Sue can access the federated app through SSO.
The password reset flow, if offered by the SP at all, is only a fallback alternative to the SSO in case it becomes broken, and should only be used by organization administrators.
The inability to complete the MFA is what prevents the federated user data from being accessed in the case of a domain takeover, which is what we're discussing here. So you really want that to be implemented by the SP.