Improve User Activation Workflow

[julien731]

The current activation workflow is based on one principle that might have to be revised.

At the moment, 2FA activation and secret key generation are two different actions. This is to allow the user to deactivate 2FA without having to reset his secret key (hence no need to update the site in the TOTP app).

However, this makes the activation more complex for what I believe is a small benefit (if really it is a benefit).

With #17 it makes even less sense as the secret key will probably be removed from the user edit screen.

UX Issue

The current workflow also introduces what I think is a major UX problem. If the user enables 2FA but, for some reason, forgets to add the site to his TOTP app, there is no warning of any kind. The user can very easily end up being locked out of the site because (s)he doesn't have the TOTP.

For complete TOTP activation, the user should be asked to input his TOTP (like it is done in many web apps).

Proposed Workflow

Display only the activate button. Once clicked, the secret key is generated and saved via Ajax. The QR code is then immediately displayed and the user is prompted to input his TOTP.

The secret will be saved in a "temporary" meta (for instance wpga_secret_tmp). The QR code and TOTP prompt will always be displayed when this meta is present. Only when the user enters his TOTP, the temporary meta is deleted and the secret is saved in the final meta entry. This will avoid changing the parts where the secret is accessed.