Open mooreds opened 3 years ago
Recovery codes always work, I only added it as an option on the selection screen to assist the user to know it is an option.
But we could make sure to always allow the user to go back to the selection screen even when they have one method so that I can show the recovery code option.
Sorry, is "the selection screen" the screen you are presented at when you login and have 2fa enabled?
OK, I have verified that I can provide the recovery code on the authentication challenge screen:
So this may be a doc issue, not a code issue. Tagging it so.
The current decision path is like this:
So perhaps it is not clear that you can always use a recovery code, and maybe I clouded it by adding that as an option on the options page. I saw some other sites do this, and it is a nice queue to the user, but perhaps it is confusing because the user will think that unless they select that option it won't work?
Sure, what was confusing to me is that when I am in step 1, I can actually use a recovery code.
I think it is as simple as adding "or recovery code" to the "enter your verification code" text in the input form.
Most people will be customizing these screens anyway, so we want to give them a clue that they should mention recovery codes here.
Recovery code screen doesn't show up unless two MFA methods provided
Description
As a user, I need to know that I can enter my recovery code on the authentication challenge screen.
Should update the authentication challenge default display message and document that the recovery code can be used.
old
Description
As a user I should have the option to use a recovery code even if I only have one MFA method enabled. I don't.
Affects versions
1.26.1
Steps to reproduce
If you add a second MFA factor (I used TOTP), you are prompted for to use the recovery code.
Expected behavior
Offer the ability to use the recovery code with only one MFA method.