In T415808#11563361, @JJMC89 wrote:

This is currently working as intended. Passkeys are only usable as part of 2FA, not passwordless login, and require another 2FA to be enabled. T321708: MediaWiki should support passwordless login with passkeys is the related feature request.

In my test on jawiki, I found that deleting security key can also show this incorrect warning. FYR.

In T399657#11426073, @TBurmeister wrote:

https://meta.wikimedia.org/wiki/User:TBurmeister_(WMF)/Sandbox/2FA is now a final draft, with just a couple small TODOs left (I've opened threads about with the team to resolve). Feedback on this draft is welcome as comments on this task, or on the Talk page.

If it helps, please refer ja:H:2FA. It is already updated for new 2FA system.
It could be a basis to rewrite other documents.

In T408294#11309423, @Reedy wrote:

Thanks for the report!

I've found numerous other bugs... So many tasks filed off the back of this :(

In T408294#11309328, @Reedy wrote:

Ok, I specifically understand now.

Keep regenerating codes, it doesn't actually regenerate, you lose one at a time until they're all gone...

For your information, at jawiki, it successfully consumes and doesn't show the used code when I login with recovery code.

In my opinion, if we can regenerate recovery codes only with one click, we don't need the option to view existing recovery codes. I think the risk of storing recovery codes in a recoverable format (I mean not using hash function) is much more bigger than the benefit.

In T407167#11298863, @Aklapper wrote:

Patch is not merged, so task is not resolved.

I checked that the patch works well. Thank you so much!

In T407167#11296802, @Catrope wrote:

In T407167#11296757, @Xaosflux wrote:

This is a significant problem. As loss of authenticator requires at a minimum TWO codes, that may only be used once to reset an account. (One to log on, one to disable).

That is no longer true. It used to be that you had to reauthenticate when disabling 2FA, but that has changed. Now, you can take any 2FA management action (adding or removing 2FA methods) within one hour of logging in. If you visit Special:AccountSecurity more than one hour after logging in, you will need to reauthenticate.

Of course the user could get logged out, or fail to fix their 2FA setup within an hour, or ignore the messages we're adding T406281, and those may be reasons to increase the number of recovery codes. But it is now possible to redo your 2FA setup with only one recovery code, you no longer need a minimum of two.

In T407167#11285556, @Reedy wrote:

@T4NeGMp7P4en Why are you adding this as a subtask to every barely related task you can find?

In T407167#11272603, @sbassett wrote:

Hello - thanks for filing this. I'm not sure what is meant by "Instead, automatically disable 2fa when recovery code is used." Recovery codes (and the former scratch tokens, which are still usable via older TOTP/authenticator apps) should never disable 2fa for a user. They should instead facilitate access to an account with 2fa enabled if an authenticator app, FIDO key or other 2fa factor is lost, damaged, stolen, etc. The current single recovery code does regenerate each time it is used and a new code can be copied or downloaded under the new Recovery options section on Special:AccountSecurity. We are currently working to improve this user experience in T406281 and hope to have that completed this quarter (October through December 2025).