Feature Request
The present (and evidently intended) behavior of the “Recovery Code”
option on the Two-Step Login Options screen is inefficient and counterintuitive. I propose that this function be modified so that it works as any reasonable user would expect — i.e., selecting the 2FA “Recovery Code” option should actually open the 2FA Recovery Form, instead of making the user jump through unnecessary hoops.
Steps To Reproduce the Problematic Behavior
- Use a Bitwarden account that has 2FA enabled.
- On Web Vault Login page, enter email, then master password, then click “Log in with master password”
- At the 2FA prompt, click “Use another two-step login method”.
- On the Two-step Login Options modal screen, click the Select button for the Recovery Code option.
Current Behavior
Clicking the Select button inexplicably launches an article from the Help Center:
About half-way through this article, the attentive reader will find a statement “Learn more here”, in which the word “here” is a hyperlink to yet another Help Center article:
Within this second Help Center article, the reader will ultimately find the instructions “To use your recovery code, navigate to https://vault.bitwarden.com/#/recover-2fa/”, and upon clicking the URL, they will finally be taken to the relevant 2FA Recovery Form.
Proposed Behavior
As any reasonable user would expect, selecting the “Recovery Code” option should take you directly to the 2FA Recovery Form at https://vault.bitwarden.com/#/recover-2fa, where you can enter your recovery code to disable 2FA. The work flow should look like this:
Additional Context
The 2FA Recovery Code option may conceivably be used in two very different contexts:
-
A user has lost access to their 2FA methods, and would therefore be locked out of their vault, but for the existence of the 2FA recovery code. Such a user will likely be stressed, perhaps even panicked, and may not have the patience and mental concentration required to review all of the presented Help Center articles to find the required links. There is no good reason why clicking the Select button shouldn’t take this user directly to the 2FA Recovery Form, instead of requiring them to hunt for two additional links that must be clicked before the form is reached.
-
A user who is not locked out of their vault, but does not know about 2FA recovery codes, and selects the “Recovery Code” option out of curiosity. Although such a user may find the linked Help Center articles of interest, it should be noted that the 2FA Recovery Form also includes a prominent “Learn more” link that points to the relevant Help Center article. Because this category of user is unlikely to be hurried or stressed, they will not be negatively affected by the need to make one additional mouse click to get information about 2FA recovery.
The current implementation of the “Recovery Code” option appears to be tailored to the second use-case, but it makes much more sense to prioritize the first use-case (especially since there are no disadvantages of doing so).