Require Recovery Code Prompt on Initial Two-step Login Setup

Require Recovery Code Prompt on Initial Two-step Login Setup

Several online services require some form of user interaction and acknowledgment during the initial setup of 2FA for an account.

  • This feature would automatically display the user account’s two-step login recovery code when the user sets up two-step login for the first time.

Feature function

  • Display two-step login recovery code automatically for user upon initial setup of 2FA login.

  • Require user acknowledgement of account two-step recovery code and guarantee interaction with user prompt modal.

  • Functionally this should work fairly similarly to how it does currently when going to the “View Recovery Code” section in the web-vault, which currently can only be viewed after two-step login is setup.
    (As we have seen here many times, several instances where individuals simply do not notice this section and forget to record their recovery code)

  • Once a user has already verified their master password and sets up two-step login on the account for the first time, the two-step login recovery code dialogue box should automatically show for the user as it does now when manually selecting to View Recovery Code.

This will give the user time to print/save their account recovery code or at least give some acknowledgment they have seen it and Close the prompt.

Related topics + references

I was honestly a bit baffled to realize Bitwarden hadn’t already implemented this type of flow.
Many security conscious users will be sure to record these when setting up an account, but I only noticed when assisting a family member to enroll in Bitwarden. As we have seen many times, many users may not notice the section simply above the two-step login setup, or have the forethought to view and save this information.

I have ran into this requirement multiple times when setting up MFA login for online accounts.
Services will automatically show a user’s recovery info after being enabled the first time, some even require that the user to print document or save as file.

Some examples include:

  • GitHub

When enabling 2FA on GitHub

TOTP secret scanned and 2FA code generated

Upon verification of 2FA code, 2FA recovery codes are immediately shown to the user.

GitHub requires users select to Download 2FA recovery codes, in order to proceed and select option “I have saved my recovery codes

If user does not select to Download 2FA recovery codes during setup, the “I have saved my recovery codes” option is not able to be selected.

Cancel will leave page and changes are not saved until user is required to download 2FA recovery codes to enable 2FA

  • Microsoft

When enabling 2FA on personal Microsoft account

Tip is provided to print or write down recovery code

Authenticator app selected for TOTP 2FA

TOTP secret key saved, 2FA code generated and confirmed

Recovery code is immediately shown to user directly after setting up 2FA for the account
Additional option to Print code is shown, but not required.

Hey Ken, thanks for the thorough write-up on this one, I’ve shared it with the team :+1:

1 Like