Verification of backup codes could be stronger #56
Comments
|
Are you saying that the Backup Codes status box in your screenshot should be hidden until TOTP is setup? So that when a new user visits the page, it'd look like this?
...or just that the box should be disabled / not clickable? Once they're on that screen, requiring them to check the box before the codes get saved isn't currently possible because of WordPress/two-factor#507, but I'd like to implement that once the upstream issue is resolved. Related: |
|
I mean more on this screen: I don't think simply checking the box is sufficient to confirm the access the codes. For example, on WordPress.com, we have a next screen that asks for one of the 10 codes generated to confirm that the person copied/printed them. |
|
Ah, I see! Yeah, I think that's a good idea 👍🏻 |
|
Part of this is caused by / limited by WordPress/two-factor#507 - The backup codes are already saved and in-use before the checkbox on that UI is selected; they're saved at generation time. |
With the current flow, is there a way that the last “backup codes” box is not checked while having 2fa active?
Seeing that before I started 2fa, I figured it would be something I’ve seen elsewhere that asks for a backup code for verification-of-saving on the next screen after the backup codes were displayed.
By doing that, we actually do verify that someone did something to retain their backup codes instead of clicking through (out of ignorance, accident, etc).
The text was updated successfully, but these errors were encountered: