Disable backup codes UI until primary provider enabled

[iandunn]

Update: The goal of this has shifted, see #47 (comment)

---

Right now we only allow regenerating backup codes, but not disabling them. The Disable Two Factor... button on the TOTP screen only disables TOTP. Should it also disable backup codes, or should the user be able to control them independently?

Related #21

[dd32]

IMHO: Backup codes should be disabled automatically once TOTP (or in the future, WebAuthN) is disabled, disabling it shouldn't revoke existing codes though.

IMHO We don't want a user to have 2FA enabled via Backup codes alone.

I don't know how the UI would look like in that case, perhaps it should be disabled during the login process (ie. 2FA is not activated) but the user overview should have a green tick?

[bengreeley]

I noticed this as well and am glad there's an issue to address it. As a user who hadn't yet activated 2fa, I was able to click on the 'Two-Factor Backup Codes' option on https://wordpress.org/support/users/bengreeley/edit/account/?screen=account-status , and didn't verify I printed or saved the codes. The next time I logged in, I was prompted to provide a backup code.

I'd think we would want to address two things:

1. Prevent backup codes from being generated unless the user has opted into 2fa.
2. Only count the backup codes as being generated if somebody clicks on the 'I have printed or saved these codes' checkbox.

[pkevan]

@bengreeley there is an upstream issue which details what you are suggestion: WordPress/two-factor#507

[iandunn]

Backup codes should be disabled automatically once TOTP [...] is disabled, disabling it shouldn't revoke existing codes though. [...] We don't want a user to have 2FA enabled via Backup codes alone.

That makes sense. #21 covers most of that, so I guess in this issue we'd just want to modify the UI. The Backup Codes screen should probably not be enabled until another provider is. That would prevent accidentally enabling it.

Keeping the green tick and existing backup codes does make sense to me. Maybe we allow the screen to be shown, but it shows a warning instead of the current content. The warning could explain that they need to have another provider enabled in order for backup codes to be enabled.

[iandunn]

IMO we still need the UI warning for UX. Otherwise the backup codes will still be generated before TOTP is setup, and the user will have to re-generate them if they didn't save them.

[dd32]

Agreed, I didn't intend on closing this :)

[StevenDufresne]

I think this should be included in the MVP, at least the part where the backup codes look clickable before 2fa has been setup.

[renintw]

I'm moving this to MVP as I reckon the part of the backup code is better off having some good handle to prevent users from accidentally enabling it.

[adamwoodnz]

Can we please have some concise requirements added to this? I'd like to pick it up but it's not clear to me exactly what needs to be done.

[StevenDufresne]

Can we please have some concise requirements added to this? I'd like to pick it up but it's not clear to me exactly what needs to be done.

Even though a user hasn't configured their 1fa, they are able to click into the "Generate backup codes" view:

Default State (GIF)

For the MVP, let's disable the backup code view if 2fa is not setup.

[iandunn]

IMO it'd be helpful to also add a warning, otherwise I'm not sure how the user would understand why backup codes are disabled, or how to enabled them.