2FA: Backup codes activating themselves without 2FA enabled

[TobiasBg]

In reference to ​https://wordpress.slack.com/archives/C02RQC6RW/p1677760569950479 :

It appears that the new 2FA feature on wp.org auto-activates that backup codes are required just when visiting the "Backup codes" screen (I'm pretty sure that I never activated the "I have saved the backup codes" checkbox nor clicked the Activate button on the backup codes screen).

This happened even without 2FA enabled. Activating/storing backup codes only really makes sense if 2FA is enabled, in my opinion.
The opening of the backup codes screen should therefore be part of the workflow of activating 2FA. And, when accessing it before 2FA is enabled, it should redirect to the 2FA setup screen.

[TobiasBg]

Ok, it looks like Meta is not (yet?) the right place for this. I only found ​https://github.com/WordPress/wporg-two-factor/ now and will close this ticket in favor of that.

​https://github.com/WordPress/wporg-two-factor/issues/21 seems to be a similar report.