Disable Two Factor Auth
Loading "Intro to Two Factor Authentication Check"
Run locally for transcripts
We're almost finished with the 2FA stuff. The trick is that 2FA shouldn't just
be used when the user is logging in, but also when they're performing sensitive
actions. For example, if a user is changing their email, password, or even their
2FA settings, they should be required to enter their 2FA code. Here's a
continuation on our 2FA flow diagram that completes the loop and disables 2FA:
We left off at the step where the user logs in. So, to continue from there:
- The user clicks the "Disable 2FA" button on the website.
- The server sends them to
/verifyso they can re-verify their 2FA code. - The user submits a code from their 2FA app
- The server verifies the code
- The user confirms they wish to disable 2FA
- The server deletes the 2FA verification and sends the user back to their settings page.
One tricky bit of this is handling the case where the user has already submitted
their 2FA code recently. It would be really annoying for a user to login with
their 2FA code, and then be required to submit it again a few seconds later. So
you're going to need to keep track of the last time the user submitted their 2FA
code and use that to determine whether they need to re-verify.
You may also consider requiring the user to re-enter their password as part of
the re-verification process. You could definitely adjust what we're about to do
to make that happen. This would have the benefit of an added layer of security
for folks who don't enable 2FA. But we're just going to focus on the 2FA code
for this exercise.