Making WordPress.org

#6825 closed defect (bug) (reported-upstream)

2FA: Backup codes activating themselves without 2FA enabled

Reported by: tobiasbg's profile TobiasBg Owned by:
Milestone: Priority: normal
Component: Login & Authentication Keywords:
Cc:

Description

In reference to https://wordpress.slack.com/archives/C02RQC6RW/p1677760569950479 :

It appears that the new 2FA feature on wp.org auto-activates that backup codes are required just when visiting the "Backup codes" screen (I'm pretty sure that I never activated the "I have saved the backup codes" checkbox nor clicked the Activate button on the backup codes screen).

This happened even without 2FA enabled. Activating/storing backup codes only really makes sense if 2FA is enabled, in my opinion.
The opening of the backup codes screen should therefore be part of the workflow of activating 2FA. And, when accessing it before 2FA is enabled, it should redirect to the 2FA setup screen.

Change History (1)

#1 @TobiasBg
12 months ago

  • Resolution set to reported-upstream
  • Status changed from new to closed

Ok, it looks like Meta is not (yet?) the right place for this. I only found https://github.com/WordPress/wporg-two-factor/ now and will close this ticket in favor of that.

https://github.com/WordPress/wporg-two-factor/issues/21 seems to be a similar report.

Note: See TracTickets for help on using tickets.