Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backup code text/download should include context #293

Open
tellyworth opened this issue Aug 12, 2024 · 5 comments
Open

Backup code text/download should include context #293

tellyworth opened this issue Aug 12, 2024 · 5 comments

Comments

@tellyworth
Copy link

Currently the backup codes, when copied to clipboard or downloaded as a text file, contains literally only the comma-separated codes.

It would be better to include a little context with that text. At a minimum, a simple header such as:

Two-Factor backup codes for your wordpress.org account:

This would make it easier for users to search their computer/phone for codes in a recovery situation.

We could also consider including additional context like the date and username. Including the username could increase the likelihood of a bad actor misusing a misplaced file; I'm not sure if that's a significant issue.
@StevenDufresne
Copy link
Contributor

We can also include the name of .txt file in our documentation to help users find saved codes on their computer.

@dd32
Copy link
Member

dd32 commented Aug 15, 2024

The two-factor plugin has the following header for files:
https://github.com/WordPress/two-factor/blob/e5d6b20ed901429faadbf015ce56ba6e55abe68e/providers/class-two-factor-backup-codes.php#L273-L281
Example:

Two-Factor Recovery Codes for https://site.example/

1. 0000000
2. 0000000
3. ...

@dd32
Copy link
Member

dd32 commented Aug 20, 2024

Suggestion:

Two-Factor Backup Codes for 'dd32' on WordPress.org.
These codes were generated on 2024-08-20.
Each code can only be used once.

1. 0000001
2. 0000002
3. ...

@pkevan
Copy link
Contributor

pkevan commented Aug 21, 2024

Suggestion:

Two-Factor Backup Codes for 'dd32' on WordPress.org.
These codes were generated on 2024-08-20.
Each code can only be used once.

1. 0000001
2. 0000002
3. ...

This is perhaps too much information for backup codes, and that username shouldn't feature in the output?

@dd32
Copy link
Member

dd32 commented Aug 21, 2024

This is perhaps too much information for backup codes, and that username shouldn't feature in the output?

The addition of the username comes from the issue description; I feel that the user experience improvement is better than the alternative. If someone has their 2FA backup codes leaked they've likely got bigger problems?

We could also consider including additional context like the date and username. Including the username could increase the likelihood of a bad actor misusing a misplaced file; I'm not sure if that's a significant issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dd32 @StevenDufresne @pkevan @tellyworth