Make 2FA backup codes a separate entity

Proposal

  • Currently, we see the 2FA backup codes after we set up an authenticator app
  • I'm proposing that we have a separate section for backup codes, independent of the "authenticator app" section.
  • This has a number of benefits:
    • With more 2FA methods in place / on the way (U2F, SMS), you can have backup codes generated without having to set up an authenticator app first
    • Backup codes can be reset without setting up authenticator again (only way to do this now is to turn off 2FA, re-enable, and set up authenticator)
    • See which backup codes have been used, and how many you have left

Links / References

  • Google's current 2FA system implements backup codes in this way:

    google_2fa google_backup

Implementation Thoughts

  • From a quick look at the code, it looks like the current implementation of backup codes is coupled tightly with the authenticator app strategy, through devise-two-factor. This might have to be extracted.
  • Do we really want to show the user their backup codes at any time (google does this), or just the first time they're generated?
Edited by 🤖 GitLab Bot 🤖