Steps to reproduce:
- Have 2FA enabled
- Log in
- Go to Special:Manage_Two-factor_authentication
- Use Disable for TOTP
- Use a scratch code for the validation
What happens:
Successful disabling is reported
2FA is NOT actually disabled
The scratch code is consumed
What should have happened:
2FA should have been disabled
Security risk: Availability
Users may be locked out of their account without any ability to recover
Was able to replicate this in production on testwiki, also received private user reports of the same problem