Make 2FA backup codes a separate entity
Proposal
- Currently, we see the 2FA backup codes after we set up an authenticator app
- I'm proposing that we have a separate section for backup codes, independent of the "authenticator app" section.
- This has a number of benefits:
- With more 2FA methods in place / on the way (U2F, SMS), you can have backup codes generated without having to set up an authenticator app first
- Backup codes can be reset without setting up authenticator again (only way to do this now is to turn off 2FA, re-enable, and set up authenticator)
- See which backup codes have been used, and how many you have left
Links / References
Implementation Thoughts
- From a quick look at the code, it looks like the current implementation of backup codes is coupled tightly with the authenticator app strategy, through
devise-two-factor
. This might have to be extracted. - Do we really want to show the user their backup codes at any time (google does this), or just the first time they're generated?
Edited by 🤖 GitLab Bot 🤖