Allow users to manage MFA devices with SSO MFA, but require WebAuthn for other MFA checks

[Joerger]

Customer idea:

Would it be possible to scope in being able to enforce WebAuthn for actual MFA, but allow users to reset/delete/add new MFA devices by reauthenticating with SSO? We frequently get requests from people to delete their existing user metadata to reset MFA when new laptops are provided to users because the old Touch ID for example is not available. It would be nice if a user could reset their Touch ID with on-time SSO.

Making this default behavior doesn't make sense in cases where we want to allow users to use SSO MFA for any MFA needs, so we'd need to add an option. For example:

second_factor_scopes:
  - scopes: [ admin_actions, session_mfa, ... ]
    second_factors: [ webauthn ]
  - scope: [ device_management ]
    second_factors: [ webauthn, sso ]

Related to RFD 155 - Scoped MFA and RFD 180 - SSO MFA