driesvints
commented
3 years ago I think the behavior is expected. It's more secure to invalidate the existing code. Most 2FA systems work like this I believe. But it's true that we should document this better, probably also with copy in Jetstream. Welcoming PR's for this.
Steps to reproduce: Fire up a fresh copy of Laravel with Jetstream, register a user, enable 2FA, then log in using a recovery code it appears this line resets the recovery codes without providing any notification to the end user.
https://github.com/laravel/fortify/blob/db984992eea2286a81429c73a800c784e24e99ff/src/Http/Controllers/TwoFactorAuthenticatedSessionController.php#L59
This would likely require a bit of a joint solve between Fortify and Jetstream but one I think could be worth looking into. Could be nice to add user feedback here or possibly a config option to disable the automatic code reset on use functionality in Fortify.