I am designing a 2FA OPT function for a travel application that allows users to book flights and trains. As users can store personal information, including their payment details, this level of verification is needed.
At first it made sense to include this flow at the beginning, just after users log in, similar to banking applications. However, I am considering including it only in the parts of the application where confidential information will be accessed. In this way, it may not be as intrusive for users who access the functions of the application that does not have personal information. What are your thoughts? Is there any other solution?