The 2FA recovery codes are obtainable more than once without elevated privileges

Issue #15908 new
Mark van der Velden
created an issue

Having the keys available from a logged in account is fine I suppose, but having them available without re-confirmation is a weak link.

At the very least, it should require privilege elevation / reconfirmation:

  1. Require the password before accessing the recovery-codes page, or
  2. Require a confirmation via a different channel (e.g.) e-mail