Activating multiple methods is confusing and can fail silently

[simonwheatley]

What I did:

1. Activated Two Factor on Engie on my sandbox only, logged in and navigated to my user profile…
2. Checked “SMS”, “Backup Verification Codes”, and “Time Based One-time Password” methods
3. Clicked “Update Profile”
4. The edit profile page came back with “Two-Factor: You are out of backup codes and need to regenerate!”… no methods were checked
5. It seems like if any method which you have checked fails it’s activation checks, then any new methods you have checked also fails activation.

Suggestions:

• Consider moving Two Factor configuration to it’s own page; the user profile page is already crowded, and breaking this out might help make things clearer. Perhaps leave a link to the “configure two factor” page.
• An explanatory admin notice to say that activating methods has failed
• An explanatory admin notice for each failed method, explaining what needs to be done to get past this

[georgestephanis]

My hesitancy with breaking Two-Factor out onto its own admin page was that I didn't want to clutter the admin menu with an extra tab for users that don't use two-factor.

I'd be 100% fine breaking it out if we add some logic so that it's only displayed if they click a checkbox to enable two-factor authentication on their profile page or the like.

Maybe a single check to enable two-factor on the profile page, and then a subpage to configure it further? It's a bit complex, no matter how it's done. :\

[crstauf]

Could just be a link on the user's profile, and from there you turn on/off and setup (I don't see a need for it to be accessible from the admin menu).