Activating multiple methods is confusing and can fail silently

[simonwheatley]

What I did:

1. Activated Two Factor on Engie on my sandbox only, logged in and navigated to my user profile…
2. Checked “SMS”, “Backup Verification Codes”, and “Time Based One-time Password” methods
3. Clicked “Update Profile”
4. The edit profile page came back with “Two-Factor: You are out of backup codes and need to regenerate!”… no methods were checked
5. It seems like if any method which you have checked fails it’s activation checks, then any new methods you have checked also fails activation.

Suggestions:

• Consider moving Two Factor configuration to it’s own page; the user profile page is already crowded, and breaking this out might help make things clearer. Perhaps leave a link to the “configure two factor” page.
• An explanatory admin notice to say that activating methods has failed
• An explanatory admin notice for each failed method, explaining what needs to be done to get past this

[georgestephanis]

My hesitancy with breaking Two-Factor out onto its own admin page was that I didn't want to clutter the admin menu with an extra tab for users that don't use two-factor.

I'd be 100% fine breaking it out if we add some logic so that it's only displayed if they click a checkbox to enable two-factor authentication on their profile page or the like.

Maybe a single check to enable two-factor on the profile page, and then a subpage to configure it further? It's a bit complex, no matter how it's done. :\

[crstauf]

Could just be a link on the user's profile, and from there you turn on/off and setup (I don't see a need for it to be accessible from the admin menu).

[WordMessie]

I'd like to add that this happens the other way around too:

1. Selecting "Authenticator App" and "Backup Verification Codes".
2. Scanning QR code in authenticator app but NOT entering code from the app beneath the QR code in WordPress (because, for example, user just forgets or overlooks input field).
3. Clicking "Save Profile".
4. No error being thrown that "Authenticator App" has been selected but no auth code has been entered.
5. Instead "Authenticator App" as an option is just unselected and "Backup Verification Codes is still selected.
6. Also: "Backup Verification Codes" can be selected and User profile can successfully be saved and exited without ever clicking "generate new codes". This could lead to users locking themselves out by mistake.