Details
-
Suggestion
-
Resolution: Won't Fix
Description
- U2F is not a sub-part of smartphone-based 2FA - it's an independent method, and should have the same level as smartphone-based 2FA. I should be able to enable 2FA using only U2F as my second factor (no smartphone-based access), and receive recovery codes via email (and be able to access them via SSH).
- There must be a way to use recovery code(s) on a U2F-enabled account regardless of whether a smartphone-based 2FA was or was not enabled.
Let me add an insult - your current design where U2F can only be enabled if smartphone-based 2FA has already been set up is stupid.