minor stuff yes

Author: cyyynthia

docs/getting-started/2-legal-mumbo-jumbo.md

@@ -48,7 +48,7 @@ their date of birth during registration to ensure compliance with privacy laws a
 the application if necessary.
 
 Related legal resources:
- - Article 20 of the French law No. 2018-493 relative to protection of personal data, [Loi n° 2018-493, Article 20](https://legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000037085952)
- - Article L.227-24 of the French Penal Code, [Article L.227-24 du Code Pénal](https://www.legifrance.gouv.fr/affichCodeArticle.do?cidTexte=LEGITEXT000006070719&idArticle=LEGIARTI000006418096)
- - Article 8 of the European General Data Protection Regulation (GDPR), [(EU) 2016/679, Article 8](https://eur-lex.europa.eu/eli/reg/2016/679)
- - US' Children's Online Privacy Protection Act (COPPA), [15 U.S.C. §§ 6502(a)](https://uscode.house.gov/view.xhtml?edition=prelim&req=granuleid%3AUSC-prelim-title15-section6502)
+ - Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés, Article 7-1 ([Légifrance](https://legifrance.gouv.fr/loda/article_lc/LEGIARTI000037087837/2018-06-22))
+ - Article L.227-24 du Code Pénal ([Légifrance](https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000042193612/2020-08-01))
+ - Article 8 of the European General Data Protection Regulation (GDPR; (EU) 2016/679) ([Europa](https://eur-lex.europa.eu/eli/reg/2016/679))
+ - US' Children's Online Privacy Protection Act (COPPA; 15 U.S.C. §§ 6502(a)) ([United States Code](https://uscode.house.gov/view.xhtml?edition=prelim&req=granuleid%3AUSC-prelim-title15-section6502))

docs/rest-api/1-authentication.md

@@ -79,14 +79,36 @@ discretion. In this case, you'll always get the `DOB_PRIVACY_LAW` error, even if
 of birth.
 
 ## Email confirmation
+>warn
+> This endpoint must **not** be automated. Internal systems may catch abnormal activity and flag the account for
+> suspicious activity, requiring manual administrator review to unlock the account.
 
 ## Login
 
 ## Multi-factor authentication
+>warn
+> This endpoint must **not** be automated. Internal systems may catch abnormal activity and flag the account for
+> suspicious activity, requiring manual administrator review to unlock the account.
 
 ## Remote authentication
+Remote authentication lets you authenticate a device using an already authenticated one (for example, your phone).
+We'll refer to the device you are authenticating the "New device" and the authenticated device "Trusted device".
+
+Depending on the settings or on the instructions from the Trusted device, the session may be limited (or remote
+auth may not be available). This is useful to quickly login to devices you do not trust without typing your
+password and only have limited access to prevent token hijacking.
+
+### New device side (Part 1)
+### Trusted device side
+### New device side (Part 2)
 
 ## Password reset
+>warn
+> Those endpoints must **not** be automated. Internal systems may catch abnormal activity and flag the account for
+> suspicious activity, requiring manual administrator review to unlock the account.
+
+### Request a reset
+### Execute a reset
 
 ## Logout
 To logout, the client simply drops the token and doesn't do anything more. There is no dedicated procedure to log out