Auth0 Home Blog Docs

Request: TOTP without recovery code functionality

#1

The Universal New login (like the classic one) assumes the TOTP is always accompanied with a recoverycode function.
But, we explicitly dont want the recovery code! just the TOTP.
In this way we keep the authentication more secure. We have our own reset procedure, in case a TOTP secret needs to be deployed again. (like mobile device broken)
Could you make the use of the recovery code a configurable option in the new login experience?

#2

Hi Arjan,

We are considering providing account recovery options that do not imply using recovery codes.

I’d like to better understand hoy are you handling resetting TOTP secrets. Would it be possible for you to explain it? Feel free to send me a direct message if you prefer to not to share it in the community.

Thanks,

Andres

#3

Hi Andres,

Without being too specific we have a certain usecase in which we don’t like the recovery code, or other kinds of selfservice reset, based on “knowledge” since they decrease the authentication strength. and create an additional attack surface. If the MFA secret is enrolled properly on a device, then the totp can function as the “possession” factor.
(I can imagine usecases that on the contrary require a selfservice reset. So thats why I ask for a Configurable option.)

#4

Hi Arjan,

I understand the feature you want us to add in the product, but we’ve been discussing some ideas around this issue, and it would be very helpful if you could share more details about your scenario. Would you mind sending me an email to andres.aguiar at auth0.com?

Thanks a lot.

Andres