##### [🎨 Figma work file](https://www.figma.com/file/xftNApQbfWpibxvNXrE3NK/%23378844-Remove-OTP?node-id=101%3A5594&t=2AFD5YyVT7KIqy81-1) ### Background In https://gitlab.com/gitlab-org/gitlab/-/issues/232669+, GitLab added support for WebAuthn devices. There is a requirement to register a two factor authentication app before a WebAuthn Device can be added:  The reason this was originally added was to ensure there was a different backup method in place, because webauthn can cause customer confusion and require a large support burden with 2FA resets if there is no non-webauthn backup method configured. We currently don't offer 2FA resets to our Free customers. However, if TOTP is required as a backup for webauth, it compromises the security of webauthn - your security is only as strong as your weakest factor. ### References This was mentioned in [Slack](https://gitlab.slack.com/archives/C042CBG8HEK/p1666193938349479), and [again](https://gitlab.slack.com/archives/CLM1D8QR0/p1667593381511399) - internal only. Internal Discussion [here](https://gitlab.com/gitlab-org/gitlab/-/issues/381760) ### Proposal It should not be required to configure TOTP before adding a webauthn device. - User must download recovery codes before webauthn device can be added - User still has the ability to set up TOTP, but it is not a requirement that it is added before webauthn device is added - Text added that warns the user that they should have at least 2 factors for 2FA