Recovery code screen doesn't show up unless two MFA methods provided

[mooreds]

Recovery code screen doesn't show up unless two MFA methods provided

Description

As a user, I need to know that I can enter my recovery code on the authentication challenge screen.

Should update the authentication challenge default display message and document that the recovery code can be used.

old

Description

As a user I should have the option to use a recovery code even if I only have one MFA method enabled. I don't.

Affects versions

1.26.1

Steps to reproduce

1. Enable MFA for a tenant
2. Enable MFA for a user (I used email verification)
3. Login as that user using the hosted login pages
4. You are prompted for your second factor as expected, but not for a recovery code

If you add a second MFA factor (I used TOTP), you are prompted for to use the recovery code.

Expected behavior

Offer the ability to use the recovery code with only one MFA method.

[robotdan]

Recovery codes always work, I only added it as an option on the selection screen to assist the user to know it is an option.

But we could make sure to always allow the user to go back to the selection screen even when they have one method so that I can show the recovery code option.

[mooreds]

Sorry, is "the selection screen" the screen you are presented at when you login and have 2fa enabled?

[mooreds]

OK, I have verified that I can provide the recovery code on the authentication challenge screen:

So this may be a doc issue, not a code issue. Tagging it so.

[robotdan]

The current decision path is like this:

1. If we have a previously used method, or you only have one (or more than one, but they are all authenticator apps), go directly to the challenge screen.
2. If you have more more than just authenticator apps (SMS or Email), add the "didn't receive code, try another option" link to go back and select a different method.
3. When displaying the options panel, also show recovery codes as an option. This is just a visual queue, as recovery codes always work.
4. If more than one method (at least one sms or email) and no method has yet been used, start at the options panel. This will also show recovery codes as an option.

So perhaps it is not clear that you can always use a recovery code, and maybe I clouded it by adding that as an option on the options page. I saw some other sites do this, and it is a nice queue to the user, but perhaps it is confusing because the user will think that unless they select that option it won't work?

[mooreds]

Sure, what was confusing to me is that when I am in step 1, I can actually use a recovery code.

I think it is as simple as adding "or recovery code" to the "enter your verification code" text in the input form.

Most people will be customizing these screens anyway, so we want to give them a clue that they should mention recovery codes here.