Why does FusionAuth provide 10 recovery codes?
-
Many systems, along with FusionAuth, provide 10 recovery codes. Once one is used, they are all reset, so why provide 10 of them?
I can see one reason being storing them in multiple places, but you could just store the same one in multiple places. I'm trying to determine if I should show all 10 to the user, or if a single one makes the most sense. Does anyone have any thoughts or opinions on this?
-
These are usually one time use codes. So you have ten chances to use them, in the case of MFA, for instance, that would be 10 times to login if your SMS provider was down, for instance.
Maybe I am missing your use case?
Thanks,
Josh -
Thanks for the explanation.
In our system, we only present recovery codes as a way to disable two-factor and reset it back up, not as a mechanism to bypass it temporarily.
This provides a solution for the following use cases:
- A user loses access to their device that has their authenticator app on it
- A user has to switch phone numbers or loses access to their phone number
-
I think that makes sense to me. I would have to test this to fully ensure I remember the flow, but displaying 1 or two codes might be fine.
Thanks
Josh
