Change Details

When a user who has enabled 2FA visits Special:OATH, there is only one thing they can do: enter a TOTP code to disable 2FA altogether. This means if I want to use multiple 2FA token generator devices, I must set them all up at the same time. If I want to add a new device, all the scratch codes need to be replaced and all my existing devices need to be set up once again. This is rather inconvenient. This problem can be solved with one simple change. When a current 2FA user visits Special:OATH, there should be two options: "update two-factor authentication" and "disable two-factor authentication". If the user chooses "update two-factor authentication", simply take them back to the screen where the QR code is displayed. With this change, a user can add devices (or view their remaining scratch codes) without resetting 2FA completely. I think the possibility to set up additional devices at a later date will encourage many more users to take up 2FA. (I guess the long-term solution is to allow multiple devices with different TOTP secret keys, but that's a long-term goal.) A note on security: There is no additional security risk in displaying the QR code and the scratch codes again, because an existing TOTP token is required for the user to view the codes. > | | Google | Facebook | Twitter | MediaWiki OATH (as of now) > | TOTP | 1 device (or secret) only, changing device invalidates previous TOTP device | When user asks to add device, it asks for (human-remembered) password again and then shows same secret | none | 1 secret only, cannot see existing secret again > | scratch-codes | 10 codes, user can see existing codes again without needing to regenerate | 10 codes, user can see existing codes again without needing to regenerate | none | 5 codes, cannot see existing codes again > | other modes | Phone call or SMS (allows multiple phone numbers; Google Prompt //or// U2F USB; | SMS (allows multiple phone numbers); U2F USB/NFC keys | confirmation by email link | none yet > | to change... | need to log in then enter password again to access 2FA menu | need to enter password again to change any 2FA item | may ask for confirmation of phone number or email address | need extra 2FA secret or scratch code (but not password) after logging in

When a user who has enabled 2FA visits Special:OATH, there is only one thing they can do: enter a TOTP code to disable 2FA altogether. This means if I want to use multiple 2FA token generator devices, I must set them all up at the same time. If I want to add a new device, all the scratch codes need to be replaced and all my existing devices need to be set up once again. This is rather inconvenient. This problem can be solved with one simple change. When a current 2FA user visits Special:OATH, there should be two options: "update two-factor authentication" and "disable two-factor authentication". If the user chooses "update two-factor authentication", simply take them back to the screen where the QR code is displayed. With this change, a user can add devices (or view their remaining scratch codes) without resetting 2FA completely. I think the possibility to set up additional devices at a later date will encourage many more users to take up 2FA. (I guess the long-term solution is to allow multiple devices with different TOTP secret keys, but that's a long-term goal.) A note on security: There is no additional security risk in displaying the QR code and the scratch codes again, because an existing TOTP token is required for the user to view the codes. > | | Google | Facebook | Twitter | MediaWiki OATH (as of now) > | TOTP | 1 device (or secret) only, changing device invalidates previous TOTP device | When user asks to add device, it asks for (human-remembered) password again and then shows same secret | via official Twitter app | 1 secret only, cannot see existing secret again > | scratch-codes | 10 codes, user can see existing codes again without needing to regenerate | 10 codes, user can see existing codes again without needing to regenerate | none | 5 codes, cannot see existing codes again > | other modes | Phone call or SMS (allows multiple phone numbers; Google Prompt //or// U2F USB; | SMS (allows multiple phone numbers); U2F USB/NFC keys | confirmation by email link | none yet > | to change... | need to log in then enter password again to access 2FA menu | need to enter password again to change any 2FA item | may ask for confirmation of phone number or email address | need extra 2FA secret or scratch code (but not password) after logging in

When a user who has enabled 2FA visits Special:OATH, there is only one thing they can do: enter a TOTP code to disable 2FA altogether. This means if I want to use multiple 2FA token generator devices, I must set them all up at the same time. If I want to add a new device, all the scratch codes need to be replaced and all my existing devices need to be set up once again. This is rather inconvenient. This problem can be solved with one simple change. When a current 2FA user visits Special:OATH, there should be two options: "update two-factor authentication" and "disable two-factor authentication". If the user chooses "update two-factor authentication", simply take them back to the screen where the QR code is displayed. With this change, a user can add devices (or view their remaining scratch codes) without resetting 2FA completely. I think the possibility to set up additional devices at a later date will encourage many more users to take up 2FA. (I guess the long-term solution is to allow multiple devices with different TOTP secret keys, but that's a long-term goal.) A note on security: There is no additional security risk in displaying the QR code and the scratch codes again, because an existing TOTP token is required for the user to view the codes. > | | Google | Facebook | Twitter | MediaWiki OATH (as of now) > | TOTP | 1 device (or secret) only, changing device invalidates previous TOTP device | When user asks to add device, it asks for (human-remembered) password again and then shows same secret | nonevia official Twitter app | 1 secret only, cannot see existing secret again > | scratch-codes | 10 codes, user can see existing codes again without needing to regenerate | 10 codes, user can see existing codes again without needing to regenerate | none | 5 codes, cannot see existing codes again > | other modes | Phone call or SMS (allows multiple phone numbers; Google Prompt //or// U2F USB; | SMS (allows multiple phone numbers); U2F USB/NFC keys | confirmation by email link | none yet > | to change... | need to log in then enter password again to access 2FA menu | need to enter password again to change any 2FA item | may ask for confirmation of phone number or email address | need extra 2FA secret or scratch code (but not password) after logging in