SSO user's Teleport MFA can only be reset after they login

[GavinFrazar]

Teleport allows SSO users to configure MFA in Teleport.
It also allows them to login without prompting for that MFA (the SSO provider is responsible for that, not Teleport).
However, if they do configure MFA and then lose that token (or the webauth rp_id is changed), then they can't remove the MFA and they can't change it.

Local users can ask a Teleport cluster admin to reset them.
SSO users can do the same, but it will only be possible while their ephemeral user still exists, since SSO users expire but their MFA configuration does not.

This is riding the line between bug and feature request imo, but I think it's a bug - it's pretty poor UX to make a cluster admin sync up with a user to get their MFA reset. They may be in different timezones for example.

Bug details:

• Teleport version: v14.3.16
• Recreation steps: configure SSO, login to web ui or tsh and add an MFA device. Now pretend you can't pass MFA prompts anymore and need to be reset. The cluster admin can only reset you if you happen to have logged in somewhat recently.