Every day the scenario checks in AWS Cognito whether everyone has login protection on, warns them in Zulip and deactivates keys once you confirm.