Changing the device used for TOTP 2FA is frustrating

Issue #16810 new
Daniel Cormier created an issue

The current flow to change TOTP requires that the user completely disable ALL 2FA, reset the recovery codes unnecessarily, and doesn't make it clear that the user won't have to set up the security keys again once 2FA is re-enabled.

Instead of completely disabling 2FA (including security keys and recovery codes), just let the user click a button to show the QR code to register a new TOTP device, with some text explaining that the existing TOTP device will stop working once the new device is verified.

Something like this this would be less troublesome to the user. It would also make it more obvious how to set up a new TOTP device.

Comments (0)

  1. Log in to comment