Minimize risk of being locked out from account with 2FA

Issue #15682 new
Jesper Wilfing
created an issue

As a recommendation to better force users like myself (to-much-text-did-not-read-type-of-person) to save the recovery codes, you should emphasize this information (marked in screenshot with a red border) and make it a requirement to press “Show recovery codes” before the 2-step-verification can be activated.

You could also add functionality to e-mail the codes or send them by mobile text if forgotten. If security would be an issue, this functionality could be optionally activated with a user setting.

This problem tends to happen quite a bit since the authenticator app setup in mobile phones are mostly excluded from backups. Every time a user switches/reinstall phone or loose/breaks phone the recovery codes are the only way to recover an account. Sometimes SSH key can be used to restore recovery codes, but this recovery process is a bit random with "permission denied" messages etc..

example.png

Comments (1)

  1. Log in to comment