When recovering a SF token using your recovery token, the SMS option did not require an SMS authentication. That was fixed in this PR
During registration, the SMS auth step is not required as you just registered the SMS recovery token in that case. And that is enough proof of possession at that point. But during recovery of a SF token, you are required to prove possession of your recovery token.
When recovering a SF token using your recovery token, the SMS option did not require an SMS authentication. That was fixed in this PR
During registration, the SMS auth step is not required as you just registered the SMS recovery token in that case. And that is enough proof of possession at that point. But during recovery of a SF token, you are required to prove possession of your recovery token.
For the safe-store RT that would already work.
See: https://www.pivotaltracker.com/story/show/185099092