micschk
commented
7 years ago Working on this with the client, it just came up that auto-regenerating the token on each (re)activation is a feature that we should maintain in validated activation mode, as a safety measure. So the verification should happen based upon the newly generated token, which should not change UPON activation, but just BEFORE activation (in order to be able to validate).
Best point for this would probably be the ajax query which loads the QR (is it OK to have the 2FA process in CMS require JS?). Working to include this in PR #23.
UPDATE: This is all done and added to the PR, if all OK it's ready to be merged into 2.1
This is the way Google does it; prevents users from locking themselves out by activating 2FA without properly scanning the QR.