Hello. I just managed to get 2FA working tonight. It works well. But there is one detail that is a bit awkward imho, if I create backup codes.
- Activate TOTP
- Generate One-time Backup Code
- Login with web interface
I expect to enter my username and password, then get prompted for a 2FA code.
Instead, an intermediate screen asks if I want to enter a 2FA code or a recovery code. I have to click on a choice to proceed. But why? 2FA codes are decimal numeric. Recovery codes are hex. Should be able to look at them and decide what needs to be done. It’s not any bigger a security risk - everyone knows that 2FA codes are in most cases 6-digit decimal numerics so it’s no more risky to make that decision after the user enters the information is it?