Backup codes can be downloaded within session

[brynwhyman]

Allow backup codes to be downloaded within the session that they have been created in.

AC:

• Creates session-unique download link
• Backup codes are not available outside of the session
• Downloaded as .txt file

Notes:
Two ways of doing this:
a. Php method requiring steaming and custom session deletion logic
b. js method is creating a .txt file, but there may be browser compatibility issues (esp for SS3 use cases)

Frontend notes:

• A separate issue will be raised for how to display a downlink link in the CMS and the login modal
• Allows for the scenario where a user requests a new set of backup codes in their CMS user profile

Designs: https://projects.invisionapp.com/share/3PNSKZQYBJZ#/screens/322766388

[brynwhyman]

Pointing the javascript method.

[chillu]

js method is creating a .txt file

I think this is overkill, just allow printing and copy/paste.

[robbieaverill]

I totally agree with @chillu, but I've triaged as originally scoped. I vote we should close this issue or change it to ensure it's clear to the user how they can print or copy their backup codes, but it's not my place to do so without PO approval 👍

[robbieaverill]

Allows for the scenario where a user could download backup codes after MFA is set up and codes are generated

I'm not sure this is a "standard" thing to do with MFA flows. Usually you only have one opportunity to get them; when they're first generated and shown to you

[ScopeyNZ]

I'll just remove that bit. When we were talking about this last week we were discussing how to avoid having them stored in session ever (for the download link) and everyone seemed on the same page...

[robbieaverill]

In terms of the display of the backup codes, it'll happen in two places: the CMS in a Member's CMS fields, and on the frontend once a user has enabled and configured a MFA method (only TOTP, or do backup codes apply to other methods like Yubikey as well?).

We can/should re-use the logic for generating the CMS fields for both places.

I guess the frontend version would be a new controller action which would be redirected to after successfully configuring MFA. In the CMS it'd be part of CMS fields.

[ScopeyNZ]

do backup codes apply to other methods like Yubikey as well

They do. All MFA methods extending this module will have backup codes provided. But I guess you don't get another set for a second MFA method? 🤔

Sounds good to me - we just want to avoid ever having backup codes in session.

[newleeland]

Allows for the scenario where a user could download backup codes after MFA is set up and codes are generated

I'm not sure this is a "standard" thing to do with MFA flows. Usually you only have one opportunity to get them; when they're first generated and shown to you

Being able to view backup codes after sign up is a pattern that is common for slack, facebook, google. But reset the recovery codes after sign up is probably more secure, This shouldn't be a huge design flow change.

[robbieaverill]

You're right, I'm sorry. Slack lets me view my unused backup codes whenever I want.