Require users to copy, download, or print 2FA recovery codes
What does this MR do?
Related to #267730 (closed)
To encourage users to save their 2FA recovery codes this MR adds "Copy codes", "Download codes" and "Print codes" buttons to the recovery codes view. It also disables the "Proceed" button until the the user has either copied, downloaded, or printed their codes.
Local testing
- Enable
vue_2fa_recovery_codes
feature flagbin/rails console
Feature.enable(:vue_2fa_recovery_codes)
- Navigate to
/-/profile/account
- Click "Enable two-factor authentication"
- Open up 1Password
- Click + icon and then "Login"
- Create a new "One-Time Password" section
- Click the QR icon left of the dropdown that was just used
- Drag the QR window over the QR code
- Paste the OTP in the "Pin code" field and click "Register with two-factor app"
Lock yourself out of GDK by accident?
No need to panic, I did this a bunch of times
bin/rails console
-
user = User.find(1)
(or whatever ID your user is, default admin is1
) TwoFactor::DestroyService.new(user, user: user).execute
Screenshots (strongly suggested)
Desktop
Page | Before | After |
---|---|---|
Recovery codes | ||
Recovery codes - Proceed enabled | N/A | |
Account after clicking "Proceed" |
Mobile
Page | Before | After |
---|---|---|
Recovery codes | ||
Account after clicking "Proceed" |
Does this MR meet the acceptance criteria?
Conformity
- [-] Changelog entry
- Not needed, behind a feature flag
-
Documentation (if required) - Will make some minor changes to docs in separate MR before enabling FF -
Code review guidelines -
Merge request performance guidelines -
Style guides - [-] Database guides
-
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers - [-] Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team
Edited by Peter Hegman