Backup codes by themselves are not a good option for multi-factor authentication, and yet at present it is too easy for users to generate backup codes and, in the process, enable backup-code-only MFA.
I can think of two changes that would help mitigate this:
-
Change the default templates such that backup code generation links are not displayed until either U2F or TOTP is enabled.
-
Remove backup codes from the requires_two_factor function.
While (1) above may be sufficient to avoid the problem in most cases, I'm having a difficult time understanding why someone would want backup-code-only MFA, which is why I proposed (2) as well. That said, perhaps I'm missing something — if so, please enlighten me. ☺️
@gavinwahl: What do you think?
Backup codes by themselves are not a good option for multi-factor authentication, and yet at present it is too easy for users to generate backup codes and, in the process, enable backup-code-only MFA.
I can think of two changes that would help mitigate this:
Change the default templates such that backup code generation links are not displayed until either U2F or TOTP is enabled.
Remove backup codes from the
requires_two_factorfunction.While (1) above may be sufficient to avoid the problem in most cases, I'm having a difficult time understanding why someone would want backup-code-only MFA, which is why I proposed (2) as well. That said, perhaps I'm missing something — if so, please enlighten me.☺️
@gavinwahl: What do you think?