search

WordPress / wporg-two-factor

2FA for WordPress.org accounts
37 stars 8 forks source link

Standardise on 'Backup Code' or 'Recovery Code' #300

Open dd32 opened 3 months ago

dd32 commented 3 months ago

As raised in https://github.com/WordPress/wordpress.org/pull/358#issuecomment-2292901167 I've been using 'Recovery code' in text, but wporg-two-factor uses Backup Codes.

Upstream in the two-factor plugin, they were renamed to Recovery Codes (albeit, by me) in https://github.com/WordPress/two-factor/pull/521

That upstream rename has flowed through to the login screen:
Screenshot 2024-08-20 at 11 43 07 AM Screenshot 2024-08-20 at 11 43 22 AM
Screenshot 2024-08-20 at 11 46 36 AM Screenshot 2024-08-20 at 11 46 56 AM

These are not at all a "backup" (a copy of..) nor are they intended on active use by the holder, rather, it's intended on being an emergency-access or "recover your account access" type scenario. At least in my mind. It may be better to call them Emergency Account Access token even.

We should just standardise on one or the other, whatever that may be.

dd32 commented 3 months ago
WordPress.com Screenshot 2024-08-20 at 11 48 43 AM WordPress.com calls them Backup codes, but also has a separate 'Recovery' process.
GitHub Screenshot 2024-08-20 at 11 49 43 AM GitHub calls it a recovery code, and also has a 2FA recovery process
Google Screenshot 2024-08-20 at 11 55 10 AM Calls them Backup Codes
Facebook Screenshot 2024-08-20 at 11 57 26 AM Calls them Recovery Codes
Slack Screenshot 2024-08-20 at 11 58 41 AM Calls them Backup Codes

It appears that it doesn't really matter what it's called, as long as it's documented somewhere. Most of the services that use Backup seem to also have a Recovery process.