Currently, the SSPR verification site is accessible once a user clicks "Can't access your account?". There is nothing restricting viewing/accessing this site.
Is it possible restrict access to this SSPR verification site only after a user is validated by MFA? Customer wants to add a level security so only users that are MFA verified access to the SSPR verification site to enter the validation information needed. They are not concerned with SSPR process, it works fine. They want to minimize spray attacks using verification information.
It is understood, that using verification using txt or call my phone and email address can be used. However, the question is accessing the verification site and not the methods of verification.
If MFA cannot be used, what other combination of methods can be leveraged?