Enhancement: automatically generate (and activate) backup codes

[axelsimon]

It's been pointed out to me that it would be a nice default for regular users to have backup codes be automatically generated and showed when activating any other method of 2FA.

It can be dangerous to only activate one 2FA method (decent risk of locking yourselsf out), so we should automatically create the backup codes and show them to the user and prompt them to copy them and keep them safe.

It is possible that not having backup codes or having only one 2FA method is what you really want, (hence my mention of regular users), but in this case you can either remove the backup codes method after or simply not make note of the backup codes.

[axelsimon]

Hi there, any news on this? It could really benefit regular users and help establish good security workflows for organisations wanting to use 2FA on Wordpress.
Thanks!

[kasparsd]

This is a great suggestion @axelsimon!

Unfortunately, I personally don't have time to work on this feature right now.

[r-a-y]

I think having the Backup Verification Codes option as a selectable 2FA method is wrong. It should be moved out of the 2FA table and displayed similar to the Security Keys section outside the table.

If a 2FA option is selected, but the Backup Verification Codes have not been generated yet, a warning should be displayed.

[iandunn]

Related #485 , #507

[kasparsd]

We've recently added new wording to the settings page in #676 and #669 that specifically calls out the backup codes and shows a warning if only one method is selected: