Second authentication/confirmation to disable 2FA

[stronenv]

When disabling 2FA, you're not asked to confirm by entering a 2FA code, password, or asked to confirm.

Suggested improvements for disabling 2FA:

1. Second confirmation with a "Are you sure?" prompt
2. Second confirmation by entering password or 2FA code (or backup codes if you don't have access to your device.)

[pkevan]

Thanks for the report @stronenv, when you disabled 2FA was this shortly after it being enabled?

[stronenv]

Hi @pkevan! Yes, it was shortly after. I did disable it on another device, though, after logging out and back in again.

[pkevan]

Thanks for the extra details - we'll investigate further.

[renintw]

@iandunn Do you think it makes sense if we implement the first suggestion Second confirmation with a "Are you sure?" prompt first and leave the second one in iteration 2?

[iandunn]

a "Are you sure?" prompt

That seems prudent 👍🏻 , but not necessarily high priority IMO, since it's easy to turn back on, and there are several status indicators to make it obvious when it's off.

password or 2FA code

🤔 We already have this in the revalidation process. It sounds like it maybe wasn't triggered in this case because of the time window where it's not required (ala sudo mode).

If not, then that seems like it'd indicate a bug w/ the existing code that should be fixed instead.

Maybe I missed something though?

Possibly related WordPress/two-factor#578

[pkevan]

🤔 We already have this in the revalidation process. It sounds like it maybe wasn't triggered in this case because of the time window where it's not required (ala sudo mode).

Yes, I think this might be the case in the 2nd device, since the time window would start from log in.