Backup codes are saved before user intends

[iandunn]

Currently, clicking the Generate verification codes button will generate codes and save them to usermeta. I think most users will only expect the codes to be saved if they click the Update Profile button.

If they navigate away from the page without clicking that, they'll assume nothing has changed, but in reality it has. This can be a problem if they already had existing codes, and accidentally clicked the button, or clicked it intentionally but then decided they didn't want new codes. Their old codes are now invalid, but they don't know that and won't save the new ones. They could be locked out in the future because their saved codes no longer work.

[jeffpaul]

Alternatively, I might suggest we change the button to Generate verification codes and save to profile (or some better worded text) as (1) that seems like a better state to get users to, (2) I don't expect (m)any people want to just generate codes and not make them what relates to their user account, (3) its possible folks would click a Generate verification codes button and not realize they need to click Update Profile to save those codes to their profile.

[iandunn]

change the button to Generate verification codes and save to profile (or some better worded text)

That (or some text near the button) could be a good alternative 👍🏻 The most important thing is that the user is informed about what will happen.

I don't expect (m)any people want to just generate codes and not make them what relates to their user account

I was thinking of situations where the user accidentally clicks the button, or when they click it and then want to "undo" that by leaving the page without saving. That could be the case if someone is running low on codes and decides to regenerate, but then discovers their printer isn't working or something, so they want to come back and do it later.

Those are admittedly edge cases, though.

not realize they need to click Update Profile to save those codes

That's a fair point, especially since the current precedent is that you don't need to. Not having to click Update is inconsistent with the rest of the setting on that page, though, and some of the Two Factor settings. IMO it'd best for UX if everything is consistent.

This isn't something I feel strongly about, though, it's an edge case and I can see your point of view 👍🏻

[pkevan]

Perhaps some kind of confirmation dialogue would help with the accidental (or intentional) click, and draw their attention to the fact that codes will be updated?

[dd32]

This could be dealt with the same as the TOTP setup process.

Rather than generating and saving them server-side before showing the UI, they could be generated, provided to the client, and only hashed/saved server-side upon a second API request after user action. If we need to validate that the server generated the codes (to prevent someone sending bad-random codes?) a signature could be included if required..

That wouldn't prevent the UI being changed to "Generate and save" though.

[timiwahalahti]

A better procedure is needed indeed. Locked my .org account yesterday, as I didn't expect visiting the backup codes page also to trigger those to be activated. Especially since I didn't manage to set up any TOTP a few moments earlier (because of now fixed bug).

Is there a reason why backup codes should even be generated if 2FA is not activated?