2FA Should have a recovery method


I suggest you to be having other ways to recover 2FA by sending temp authenticaiton code through email or phone sms.


manually recreating account actually cause customer support effort and also waste customer's time.


  • Ukko
    Ukko Posts: 3,637 Superuser



    Sorry for my reply. I'm also only an F-Secure user (their home solutions).


    Just as my potential feelings:


    -> does it about F-Secure Account portals (and/or for its business account portals)?

    -> does recovery method is needed for situations when it is not possible to use installed 'pinned' mobile application for two step verification code AND backed up 'offline' codes are inaccessible?


    If yes - I think that temporary auth code through email(?! which one) is potentially vulnerable design. For example, if user do use two-step verification for logging into portal and his email account is compromised -> previously there is anyway two step verification in use.

    with recovery method by email: compromised email -> and there is ability to recovery password and 'recovery' two step verification with further access to portal/account.


    If by phone sms -> currently phone number is not pinned to F-Secure account (at least, home solutions) probably. So, does with such option -> F-Secure should to ask phone number and store it during registration?

    With F-Secure Mobile Solutions - something like 'trusted numbers' in use - but it is pinned to mobile solution only (probably).

    But if there is ability to use 'phone sms' - does it likely that TSV or TFA application is broken; or backed up codes are inaccessible?



This discussion has been closed.