It will always be possible to create account and log in with no MFA? Old DNS host made mandatory MFA and I change host because it should never be.
I log in with website and don’t see the token secret so I can’t use it but it is in Token Management list. How can I see it when log in? Are expired login tokens removed automatically from list of tokens? I have many there.
As you know, we currently do not require MFA, and we have no plans requiring it, even in the long term.
However, we will not make an absolute statement for the indefinite future. I can only tell you that it’s no planned, we see no reasons for planning that, and it’s extremely unlikely. I hope you understand.
You cannot see any token secrets after logging in. The token secret is only displayed once, when the token is created. (We store them in hashed form, so it cannot even be recovered.)
As you observed already, expired tokens are not removed, but marked as expired. You can remove them if you like.