researchequals/api
1
0
Fork 0
Code Issues 24 Pull requests Projects Releases Packages Activity

feat(security): add account recovery backup codes #90

New issue
Open
opened 2025-10-05 14:22:20 +00:00 by chartgerink · 0 comments
chartgerink commented 2025-10-05 14:22:20 +00:00
Owner
Copy link

Currently, when a client activates 2FA, there is no way to recovery path for themselves. This inevitably will happen to someone, and this can be overcome by talking to an admin (who will have to do due dilligence).

In the future, we can add recovery backup codes, which are consumed upon use. This would require:

  • A separate backup codes table
  • Relevant endpoints (for example, to create the backup codes, to restore and consume a code, to create new backup codes – this is not a complete list)
  • A backup code generation process (what should the codes look like to begin with? Memorable or random? English or multilingual? this is not immediately obvious regrettably)
  • an exploration of additional considerations in this case
Currently, when a client activates 2FA, there is no way to recovery path for themselves. This inevitably will happen to someone, and this can be overcome by talking to an admin (who will have to do due dilligence). In the future, we can add recovery backup codes, which are consumed upon use. This would require: - A separate backup codes table - Relevant endpoints (for example, to create the backup codes, to restore and consume a code, to create new backup codes – this is **not** a complete list) - A backup code generation process (what should the codes look like to begin with? Memorable or random? English or multilingual? this is not immediately obvious regrettably) - an exploration of additional considerations in this case
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
add/frontend
No results found.
Labels
Clear labels   
bug

Something is not working

  
critical

issues that are blocking other work, high importance + urgent

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
future

Not on the docket right now. Keeping the issue for future work.

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
wontfix

This won't be fixed

No labels
bug
critical
duplicate
enhancement
future
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: researchequals/api#90
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?