Users can generate recovery codes without having 2FA enabled
If a user goes to the recovery codes generation path, it will generate codes, regardless of if a user has TOTP or U2F enabled (or neither). The user is not prompted for 2FA when logging in (as expected). These recovery codes can then be used to enable TOTP. Users should only be able to generate recovery codes after enabling 2FA - otherwise, they should be redirected to the security settings path and an error message displayed to them.
- Determine root cause
- Fix bug
- Write tests for it