Level 63
My opinion is that it can as well be shown only once as shown several times.
That's not the same as for a token that is stored hashed in the database.
Sep 13, 2023
1
Level 3
Best practice for showing two-factor recovery codes
I'm using Laravel Fortify to allow users to setup two-factor authentication on their account. As part of this process you can generate a set of "recovery codes" which allow you access to your account should your authenticator app be unavailable.
I wonder what the best practice is for displaying these codes. At the moment I display them to the user only once, when they first enable two-factor authentication. They aren't shown again, however they can opt to re-generate them if they need to. I did this based on how other sites work that I use - for example Digital Ocean only shows you the recovery codes first time around.
But I wonder what the implications are of always having the recovery codes available for the user to view within their profile/account? Is there any good reason to only show them one time?
Thanks,
Please or to participate in this conversation.