This is not a flaw but a design (as it stands today). We must assume that the email address you are using with our site can be trusted, that is the very basic assumption that we must take. If someone has access your email then that person can also contact us from that email and ask us to do various activities to your account, e.g. we often get requests to reset the 2FA because the device is lost. We do so, based on the very same assumption, your email account is not compromised. Hence please implement some sort of 2FA on your email account. The email account is the weakest link in the chain and it needs to be protected accordingly.
In addition, we are planning to implement a 2FA reset function, and guess what it does? It sends you an email to confirm that action. Therefore, if an attacked has access to your email account he/she can request the 2FA reset as well.
Having said that, we are interested to further harden the security by implementing additional restrictions, e.g. delayed reset requests, withdrawal blocks for a period of time. But all these are not solving the root cause, weak or compromised email accounts.
This is the stupidest shit I have ever read. The whole point of 2FA is to protect from keyloggers getting your password details on your computer including your email. In addition, we are planning to implement a 2FA reset function, and guess what it does? It sends you an email to confirm that action. Therefore, if an attacked has access to your email account he/she can request the 2FA reset as well.
Having said that, we are interested to further harden the security by implementing additional restrictions, e.g. delayed reset requests, withdrawal blocks for a period of time. But all these are not solving the root cause, weak or compromised email accounts.