Opened 20 months ago
Closed 20 months ago
#6825 closed defect (bug) (reported-upstream)
2FA: Backup codes activating themselves without 2FA enabled
Reported by: | TobiasBg | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Component: | Login & Authentication | Keywords: | |
Cc: |
Description
In reference to https://wordpress.slack.com/archives/C02RQC6RW/p1677760569950479 :
It appears that the new 2FA feature on wp.org auto-activates that backup codes are required just when visiting the "Backup codes" screen (I'm pretty sure that I never activated the "I have saved the backup codes" checkbox nor clicked the Activate button on the backup codes screen).
This happened even without 2FA enabled. Activating/storing backup codes only really makes sense if 2FA is enabled, in my opinion.
The opening of the backup codes screen should therefore be part of the workflow of activating 2FA. And, when accessing it before 2FA is enabled, it should redirect to the 2FA setup screen.
Change History (1)
Note: See
TracTickets for help on using
tickets.
Ok, it looks like Meta is not (yet?) the right place for this. I only found https://github.com/WordPress/wporg-two-factor/ now and will close this ticket in favor of that.
https://github.com/WordPress/wporg-two-factor/issues/21 seems to be a similar report.