I’m looking into adding support for 2FA backup codes, this is what I came up so far and I’d really appreciate some feedback. This is very basic flow so far, but hopefully enough to raise some questions/points to consider.
In order to enable backup codes, primary method (TOTP) has to be enabled.
After enabling backup codes, user gets to copy and store the codes. If user loses backup codes, they have to reset them and get the new set of codes.
Backup code can be used everywhere authentication code is required if device providing TOTP code is not available.
This will be build upon the feature @featheredtoast initially built - using user_second_factors, and since you gave this some thought already I’d appreciate if you have any suggestions.