Only allow backup codes when another 2FA method exists

[pkevan]

Currently you can setup backup codes without an additional method (TOTP, auth key).

If we want to block this workflow, and tie backup codes to only be used as an additional method, then we'll need to rework the logic and possibly restrict backup codes being a primary method.

[pkevan]

Related: #15

[pkevan]

See: pkevan/two-factor@0f6ee66

[iandunn]

Related #23

See: pkevan/two-factor@0f6ee66

Was that meant to be posted to #22?

If we're writing a custom UI from scratch, I wonder if it'd be better to use React and Gutenberg components/utilities, instead of jQuery/etc?

[pkevan]

Was that meant to be posted to #22?

Yes! Good catch :)

[pkevan]

If we're writing a custom UI from scratch, I wonder if it'd be better to use React and Gutenberg components/utilities, instead of jQuery/etc?

Probably, i'm just prototyping the functionality and following pre-existing patterns in the plugin.

[pkevan]

We can probably achieve this using the two_factor_providers filter.

[pkevan]

#24 as a potential method for doing this.

[TobiasBg]

I only found this repo after opening a ticket in Meta Trac, but for reference: https://meta.trac.wordpress.org/ticket/6825

[iandunn]

Hey 👋🏻 , sorry you experienced that. WordPress/two-factor#507 is the main cause for it, but #75 and #47 will help mitigate it in the mean time.

[TobiasBg]

Hi @iandunn, thanks for the context! Yes, that sounds exactly like what happened. The fix sounds reasonable to me as well. (I'm all set again already, thanks to a forums moderator.)

[renintw]

I guess we can close this issue for now since #75 has already been merged and #47 can stand on its own.
@iandunn @pkevan If you feel it's necessary, please feel free to reopen it.