2FA: Confusing error message when providing an incorrect backup code.

[rynaldos]

Quick summary

When adding an invalid backup code when logging into WordPress.com it gives the following error message:

The problem is that this is a backup code and not a verification code as the error implies.

Steps to reproduce

1. With 2FA enabled, log into WordPress.com
2. You'll see a prompt to add your 2FA (verification) code (if configured). Skip this and select "I can't access my phone".
3. Add an invalid backup code.
4. See error message

What you expected to happen

I would expect to see an error message stating that it was an invalid backup code and not an invalid verification code.

What actually happened

It provided a confusing error message, and I wasn't sure if I had added a backup code or 2FA code.

Context

No response

Platform (Simple, Atomic, or both?)

No response

Theme-specific issue?

No response

Browser, operating system and other notes

No response

Reproducibility

Consistent

Severity

All

Available workarounds?

None

Workaround details

Replace the error message in the code.

[cuemarie]

📌 SCRUBBING : RESULT - Replicated / Could Not Replicate / Uncertain

• Replicated

📌 FINDINGS/SCREENSHOTS/VIDEO

• I agree the language is a bit confusing, as this is specific to a backup code, not an app-generated auth code.

📌 ACTIONS

• Labelling as Feature Request/Enhancement
• Feature Request Kept