Page MenuHomePhabricator
Create Task
Maniphest T407053

Potentially confusing behaviour re. the list of existing recovery codes shown when adding a new 2FA module
Closed, ResolvedPublic
Actions

Description

Firstly, apologies if this is already covered in other ticket/s - feel free to merge/close this task if it is!

For context - I already have a TOTP/authenticator app enabled for my Wikimedia SUL account, that I added to my account prior to $wgOATHAllowMultipleModules / $wgOATHAuthNewUI being enabled on Wikimedia wikis (https://gerrit.wikimedia.org/r/1193928). When I originally added this 2FA/TOTP app to my account, the software gave me a list of recovery codes, which it said "will never be shown again".

Now that the new UI & multiple 2FA modules have been enabled in Wikimedia production, navigating to (e.g.) https://auth.wikimedia.org/metawiki/w/index.php?title=Special%3AAccountSecurity&action=enable&module=webauthn seems to puport to include a list of my existing recovery codes. However, only one recovery code is (currently) included on this list, and it's not one of the ones on the list of recovery codes that I was previously given when initially setting up 2FA.

So, I suppose my confusion here is threefold:

  1. The software is apparently trying to show me the recovery codes associated with my account, even though I was previously told by the software that the recovery codes would "never be shown again" after they were displayed during the initial 2FA setup. (I don't know if that presents any sort of risk or not -- I'd assume not, given that I assume this new behaviour is intentional; but as an end-user who's previously been given the "never be shown again" message, it's certainly unexpected.)
  2. The recovery code I'm being shown is one that I've personally never seen before. As an end-user, I therefore wonder how it's been generated? / why it's been generated? / whether I need to download it (and add it to my already-saved list of recovery codes) or not?
  3. The recovery codes that were previously generated when I originally enabled 2FA aren't shown in this list. As an end-user, that leaves me unsure & slightly worried as to whether my previous recovery codes have been unintentionally deleted / will still work or not. (I've since tested one of them, and it did seem to work; but prior to testing it out I genuinely wasn't sure if this would be the case.)

Related Objects

Event Timeline

A_smart_kitten created this task.Oct 11 2025, 1:30 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 11 2025, 1:30 PM
Reedy subscribed.Oct 11 2025, 3:02 PM

T405235: Create MediaWiki maintenance script to migrate older TOTP devices to modern TOTP + Recovery Codes configuration basically fixes this.

There's a few workflow issues, such as the recovery code being automatically generated, but the user is never directly informed. T406281: Display new recovery code after user logs in with recovery code is a variant of that.

T354030: Allow viewing recovery codes again? was discussed, and is a purposeful change of behaviour in the UI and multiple module behaviour.

Reedy added a comment.Oct 11 2025, 3:06 PM

See also: T405873: Recovery options doesn't show existing Recovery Codes and the fact you can see the new style codes when adding a new factor...

Reedy moved this task from Backlog to User Experience on the MediaWiki-extensions-OATHAuth board.Oct 11 2025, 3:50 PM
A_smart_kitten added a comment.Oct 11 2025, 4:23 PM

Fair enough. As I said in the task description, feel free to close this if things are already covered elsewhere in separate tasks :) /gen

In T407053#11266432, @Reedy wrote:

T405235: Create MediaWiki maintenance script to migrate older TOTP devices to modern TOTP + Recovery Codes configuration basically fixes this.

Assuming that I'm understanding correctly, that task would result in the current recovery codes for anyone with a pre-existing TOTP device being migrated into recovery codes that'd also be listed at Special:AccountSecurity. If so, personally I probably would have blocked the WMF production enabling of the new UI/multiple-module support on this (if I was the person making the decision), given the potential concern/worry that could be caused to people who check Special:AccountSecurity prior to that script being ran and don't see their current recovery codes in that list. To be fair, that's just my own opinion/feedback, though, as one individual person/end-user -- so take it as you will :]

There's a few workflow issues, such as the recovery code being automatically generated, but the user is never directly informed. T406281: Display new recovery code after user logs in with recovery code is a variant of that.

In this case, I think the previously-unknown newly-generated recovery code was visible in Special:AccountSecurity prior to me testing a login with one of my current recovery codes; so IIUC I don't think T406281 would cover why a new recovery code was seemingly generated for my account.

T354030: Allow viewing recovery codes again? was discussed, and is a purposeful change of behaviour in the UI and multiple module behaviour.

Fair enough :) That answers that question then. Personally I expect that it might cause at least some initial confusion (given the previous 'never again' messaging), so I guess folks should probably be aware that there may be more queries coming in regarding that; but nevertheless it's good to know that it's an intentional decision.

Krinkle awarded a token.Oct 11 2025, 9:49 PM
Krinkle subscribed.
A_smart_kitten added a project: FY2025-26 WE 4.6 - Account Security (WE 4.6.4 - 2FA improvements and passkey support).Oct 25 2025, 2:59 PM

(boldly adding [what I believe is the] tag for the project that this feedback relates to)

Catrope closed this task as Resolved.Nov 13 2025, 12:00 AM
Catrope subscribed.

Thanks for this report! This has since been cleaned up by T407057: Run MoveRecoveryCodesFromTOTP.php, which combined all user's old-style (TOTP-associated) and new-style recovery codes. As a result, some users now have 11 or 20 recovery codes instead of 10, depending on when they first visited the new Special:AccountSecurity page. The combined set of recovery codes is now consistently displayed in all places where recovery codes are displayed, and is the full set of recovery codes that will work to log in to your account.

To respond to the 3 points in the task description:

  1. The software is apparently trying to show me the recovery codes associated with my account, even though I was previously told by the software that the recovery codes would "never be shown again" after they were displayed during the initial 2FA setup. (I don't know if that presents any sort of risk or not -- I'd assume not, given that I assume this new behaviour is intentional; but as an end-user who's previously been given the "never be shown again" message, it's certainly unexpected.)

This behavior has indeed changed, and we now do display recovery codes and allow users to copy/download them after they were created. There's some discussion of that on other tasks: T408759 and T354030.

  1. The recovery code I'm being shown is one that I've personally never seen before. As an end-user, I therefore wonder how it's been generated? / why it's been generated? / whether I need to download it (and add it to my already-saved list of recovery codes) or not?

This happened because we separated recovery codes from the TOTP authentication method (which was necessary so that users with only non-TOTP methods would also get recovery codes), but we had not yet fully migrated the TOTP-associated recovery codes to the new recovery codes system. The new system then generated 1 new recovery code for you when you first visited Special:AccountSecurity. We later increased this number to 10, so users who first visited Special:AccountSecurity after that got 10 new recovery codes.

  1. The recovery codes that were previously generated when I originally enabled 2FA aren't shown in this list. As an end-user, that leaves me unsure & slightly worried as to whether my previous recovery codes have been unintentionally deleted / will still work or not. (I've since tested one of them, and it did seem to work; but prior to testing it out I genuinely wasn't sure if this would be the case.)

I understand this concern and I'm sorry that we made this confusing. The TOTP-associated recovery codes always worked for login, but they were not displayed in the list of recovery codes until we completed the migration in T407057. TOTP users who visited Special:AccountSecurity shortly after it launched received 1 new recovery code, and after the migration they now have 11. TOTP users who visited Special:AccountSecurity a little later (after we increased the number of recovery codes to 10, but before the migration) received 10 new recovery codes, and now have 20. Users who visited Special:AccountSecurity after the migration, or who never visited it at all, or who were using WebAuthn instead of TOTP still have 10 recovery codes. (Some users who set up TOTP many years ago received 5 recovery codes at setup time, they will still have 5 codes, or they could have 6 or 15 if they visited Special:AccountSecurity in October.)

A_smart_kitten added a comment.Nov 16 2025, 9:47 PM

Thank you for the detailed explanation & response to the feedback @Catrope, it is very much appreciated :)

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits