Friends who know more about MFA than I do: is it "bad" or just "weird" when the recovery code after adding an MFA device is... the same code you used from the MFA device to demonstrate it was working?
Conversation
Replying to
That's an odd way of making recovery codes since they should be one-time use and shouldn't be as weak as TOTP codes. Should just be random.
At this point, it's hard to see anything other than FIDO2 security key support as not being terrible. TOTP isn't great even when done well.
I like the way it works on a Google account with Advanced Protection: only security keys with at least 2 dedicated keys and ability to use the TEE/HSM in phones as additional security keys. If you want more backups you add more keys. No recovery codes or easy support backdoor.
1
6
A recovery code is presumably not time sensitive and TOTP codes are super weak even with the time constraint. They better have incredibly aggressive brute force mitigations for those.
It's really best if sites support more convenient + much more secure security key approach.
1