Bug #177
Show 2FA "invalidate" button even when 2FA is disabled
| Status: | New | Start: | 2019-01-11 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assigned to: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | - | |||
| Votes: | 0 |
Description
At the moment the button to invalidate your 2FA key does not appear when 2FA is disabled.
It is intended behaviour that someone who has previously enabled 2FA can disable it without destroying the key, so that they may later re-enable it without having to enrol their device all over again.
However, by not showing the "invalidate" button while disabled it means that a user can't go from the disabled state to obtaining a new key without re-enabling the old key first. It isn't very clear that this is what they need to do.
If someone has lost their 2FA access and asked support to disable 2FA, the first thing they will want to do is often to set up 2FA again. At the moment they will be presented with the option only to re-enable 2FA and using that will not show the key again. They won't be able to re-import the key into their device.
Rather than continually showing the key, the "invalidate" button should be present and it made clear that using it is the best way to set up a new key.