Reset secret for Google Authenticator on re-enabling.
Currently, if you disable 2FA and enable it again for the same account, the same secret is used (from psa db). That is a security risk because if 2FA was disabled due to the fact that a phone was lost. The next time 2FA is enabled for the same account a new secret should be generated. Otherwise, the lost phone still will be able to generate a valid code.
Implement this feature to be default behaviour or at least add a button "regenerate secret".
Thank you for your input! We will consider this functionality in upcoming releases if it is popular. Everyone, please continue voting for this feature if you consider it important.