Level 29
I would keep it as it is, if they lost it. Display a message that they need to contact support. Support can then verify if its legit and disable the 2FA for that account.
Apr 27, 2024
1
Level 8
Jetstream 2FA account recovery question
Hello,
When using Jetstream's 2FA, the user has no way to log in to his account in case he loses recovery codes (and his device).
What would be a proper flow for account recovery in such case? Jetstream does not provide any.
What would be a good practice for such thing? I can't imagine other websites using 2FA not giving users ability to recovery their account in another way
I'm pretty sure it happened to me on AWS once and they simply send a regular code to the registered email, just like regular OTP
However on Jetstream docs, they say:
Most Jetstream features can be customized via action classes. However, for security, Jetstream's two-factor authentication services are encapsulated within Jetstream and should not require customization.
Does it mean I can't do it because I might break something?
Thanks
Please or to participate in this conversation.