Are there any plans to add support for backup codes to the 2FA system?
Yup this is planned for and would probably be done in the 2.1 release.
I’m looking into adding support for 2FA backup codes, this is what I came up so far and I’d really appreciate some feedback. This is very basic flow so far, but hopefully enough to raise some questions/points to consider.
In order to enable backup codes, primary method (TOTP) has to be enabled.
After enabling backup codes, user gets to copy and store the codes. If user loses backup codes, they have to reset them and get the new set of codes.
Backup code can be used everywhere authentication code is required if device providing TOTP code is not available.
This will be build upon the feature @featheredtoast initially built - using
user_second_factors, and since you gave this some thought already I’d appreciate if you have any suggestions.
Recovery codes for 2FA?
Would it be possible (or will it be possible in the next future) to download a text file instead of copying the codes?
Was thinking about it too and will consider it when I get the basic functionality going.
I agree, there should be an option to download backup codes. I really like how Google does it – they even show me which backup codes were already used. But, looking at the screenshots, I think enabling backup codes is planned to be a one-time action with no ability to show them again. That’s fine too.
Anyway, the most important thing is, that it shouldn’t be possible to create backup codes unless I authenticate with my password and a second factor or recently logged in with both. Otherwise someone could steal my backup codes.
The more 2fa items we’ve got, the more desire for a dedicated 2fa page, kinda how google accounts do this - I’m leaning towards a page that requires a password confirm and optional 2factor credentials to access, that allows a user to configure 2factor details. This would open the UX gates to allow for multiple 2factor devices.
re: backup codes specifically, I’d lean more towards having a one time download for codes, which would have to be re-generated to show another batch of codes. I’m not sure I like showing how many backup codes a user has left on the login page. I’d prefer to keep that count in the user profile instead.
Overall, I’d say the mockup looks quite good, and I agree with what you have here, where we invalidate all codes + regenerate, rather than reveal older codes.
Some minor changes
I would call this “create new backup codes”, if you click it I would always require a token prior showing them. (If you have codes I would say they exist) I would follow whatever google do regarding allowing re-download vs always regenerate.
I would also add something to the initial screen after you confirm the token for directly downloading codes after you scan the barcode