Page MenuHomePhabricator

Separate recovery codes into a separate MFA method
Open, Needs TriagePublic

Description

With WebAuthn approaching, it might be worth to separate the Recovery codes from OATHAuth into a separate MFA authentication module and detach if from the TOTP method as WebAuthn does not have a recovery method of its own.

See also: T218214#5474912

Event Timeline

I think then having this "backup/recovery code" module to be enable if one (or more) MFA methods are enabled... Makes complete sense

This might make T150601: Add option to generate new set of scratch codes easier too

One problem, the current database structure only allows one set of 2fa credentials per user.... :(

id int(11) PK

where id is user_id

We have a decent size blob we can use though...

One problem, the current database structure only allows one set of 2fa credentials per user.... :(

id int(11) PK

where id is user_id

I do wonder if we can drop the module column, and just have that as part of the data....