More options with OTP
As it is right now OTP is either enabled or disabled. There should be an option to use OTP only when an email is being sent outside of the organization otherwise it stays disabled. To have OTP enabled all the time doesn't make sense because if someone's mailbox is compromised the would be hacker could easily click the OTP link to gain access to the email. You could enforce the use of MFA to mitigate that issue but if you have a lot of users, especially ones who are not savvy with computers, that could be a real nightmare.