If a user has multi-factor authentication enabled for his account, changing the password should require the verification with a one-time code. The `kolab_2fa` plugin shall therefore intercept password change actions. Maybe additional hooks from the `password` (from Roundcube upstream) are required.