Open PMaynard opened 9 years ago
Instead of adding another step it might be nicer to confirm on next login. Next time (or next few times) the user logs in allow them to disable 2FA.
Normally when you first configure 2FA they ask to enter a code just like when you login, if it matches all is good, if not we know their device is not working.
I was trying to avoid any extra steps where they could be avoided, but seeing as they will already have the app open in front of them it's no effort
Make sure that the user has correctly added 2FA before enabling it on their account.
For example I can not access my account because I enabled 2FA but did not add it to my 2FA app.