Details
-
Suggestion
-
Resolution: Won't Fix
Description
As a recommendation to better force users like myself (to-much-text-did-not-read-type-of-person) to save the recovery codes, you should emphasize this information (marked in screenshot with a red border) and make it a requirement to press “Show recovery codes” before the 2-step-verification can be activated.
You could also add functionality to e-mail the codes or send them by mobile text if forgotten. If security would be an issue, this functionality could be optionally activated with a user setting.
This problem tends to happen quite a bit since the authenticator app setup in mobile phones are mostly excluded from backups. Every time a user switches/reinstall phone or loose/breaks phone the recovery codes are the only way to recover an account. Sometimes SSH key can be used to restore recovery codes, but this recovery process is a bit random with "permission denied" messages etc..