Page MenuHomePhabricator
Create Task
Maniphest T407053

Potentially confusing behaviour re. the list of existing recovery codes shown when adding a new 2FA module
Open, Needs TriagePublic
Actions

Description

Firstly, apologies if this is already covered in other ticket/s - feel free to merge/close this task if it is!

For context - I already have a TOTP/authenticator app enabled for my Wikimedia SUL account, that I added to my account prior to $wgOATHAllowMultipleModules / $wgOATHAuthNewUI being enabled on Wikimedia wikis (https://gerrit.wikimedia.org/r/1193928). When I originally added this 2FA/TOTP app to my account, the software gave me a list of recovery codes, which it said "will never be shown again".

Now that the new UI & multiple 2FA modules have been enabled in Wikimedia production, navigating to (e.g.) https://auth.wikimedia.org/metawiki/w/index.php?title=Special%3AAccountSecurity&action=enable&module=webauthn seems to puport to include a list of my existing recovery codes. However, only one recovery code is (currently) included on this list, and it's not one of the ones on the list of recovery codes that I was previously given when initially setting up 2FA.

So, I suppose my confusion here is threefold:

  1. The software is apparently trying to show me the recovery codes associated with my account, even though I was previously told by the software that the recovery codes would "never be shown again" after they were displayed during the initial 2FA setup. (I don't know if that presents any sort of risk or not -- I'd assume not, given that I assume this new behaviour is intentional; but as an end-user who's previously been given the "never be shown again" message, it's certainly unexpected.)
  2. The recovery code I'm being shown is one that I've personally never seen before. As an end-user, I therefore wonder how it's been generated? / why it's been generated? / whether I need to download it (and add it to my already-saved list of recovery codes) or not?
  3. The recovery codes that were previously generated when I originally enabled 2FA aren't shown in this list. As an end-user, that leaves me unsure & slightly worried as to whether my previous recovery codes have been unintentionally deleted / will still work or not. (I've since tested one of them, and it did seem to work; but prior to testing it out I genuinely wasn't sure if this would be the case.)

Related Objects

Event Timeline

A_smart_kitten created this task.Sat, Oct 11, 1:30 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSat, Oct 11, 1:30 PM
Reedy subscribed.Sat, Oct 11, 3:02 PM

T405235: Create MediaWiki maintenance script to migrate older TOTP devices to modern TOTP + Recovery Codes configuration basically fixes this.

There's a few workflow issues, such as the recovery code being automatically generated, but the user is never directly informed. T406281: Display new recovery code after user logs in with recovery code is a variant of that.

T354030: Allow viewing recovery codes again? was discussed, and is a purposeful change of behaviour in the UI and multiple module behaviour.

Reedy added a comment.Sat, Oct 11, 3:06 PM

See also: T405873: Recovery options doesn't show existing Recovery Codes and the fact you can see the new style codes when adding a new factor...

Reedy moved this task from Backlog to User Experience on the MediaWiki-extensions-OATHAuth board.Sat, Oct 11, 3:50 PM
A_smart_kitten added a comment.Sat, Oct 11, 4:23 PM

Fair enough. As I said in the task description, feel free to close this if things are already covered elsewhere in separate tasks :) /gen

In T407053#11266432, @Reedy wrote:

T405235: Create MediaWiki maintenance script to migrate older TOTP devices to modern TOTP + Recovery Codes configuration basically fixes this.

Assuming that I'm understanding correctly, that task would result in the current recovery codes for anyone with a pre-existing TOTP device being migrated into recovery codes that'd also be listed at Special:AccountSecurity. If so, personally I probably would have blocked the WMF production enabling of the new UI/multiple-module support on this (if I was the person making the decision), given the potential concern/worry that could be caused to people who check Special:AccountSecurity prior to that script being ran and don't see their current recovery codes in that list. To be fair, that's just my own opinion/feedback, though, as one individual person/end-user -- so take it as you will :]

There's a few workflow issues, such as the recovery code being automatically generated, but the user is never directly informed. T406281: Display new recovery code after user logs in with recovery code is a variant of that.

In this case, I think the previously-unknown newly-generated recovery code was visible in Special:AccountSecurity prior to me testing a login with one of my current recovery codes; so IIUC I don't think T406281 would cover why a new recovery code was seemingly generated for my account.

T354030: Allow viewing recovery codes again? was discussed, and is a purposeful change of behaviour in the UI and multiple module behaviour.

Fair enough :) That answers that question then. Personally I expect that it might cause at least some initial confusion (given the previous 'never again' messaging), so I guess folks should probably be aware that there may be more queries coming in regarding that; but nevertheless it's good to know that it's an intentional decision.

Krinkle awarded a token.Sat, Oct 11, 9:49 PM
Krinkle subscribed.
A_smart_kitten added a project: FY2025-26 WE 4.6 - Account Security (WE 4.6.4 - 2FA improvements and passkey support).Sat, Oct 25, 2:59 PM

(boldly adding [what I believe is the] tag for the project that this feedback relates to)

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits