Allow disabling Email MFA using recovery key

[gvrrxtt]

Description

On both Android and Web, there is no recovery option present after the user enters their email address and before they enter the TOTP emailed to them. It would seem the password input is oddly at the end of the login flow.

In the event a user knows their account email address, password, and recovery key, but became locked out of their email account, the recovery key is of no use.

How should one recover their account in this situation? They have more pieces of qualifying information than someone who forgot their password but has access to their email account.

Version

v3.0.18

What product are you using?

Ente Auth

What platform are you using?

Mobile - Android, Web - Firefox

[ua741]

By default, Email MFA is disabled. If a user has enabled it, it acts as extra protection and helps prevent account takeover, even if an attacker gains access to the recovery key.

We understand there is a risk of being locked out if the user cannot access their email. In such cases, the user can contact our support team. After verifying some account-related information, they may be able to assist.

[StarEmbers]

I recently ran into the same issue.
I had knowledge of my email address, my password and my recovery key but I could not access my email.

I was surprised to learn that the email verification could not be bypassed with my recovery code.
In the official FAQ on the website (under „Enteception“) it is stated that the recovery code could bypass 2FA.

TL;DR;
Ideally, you should note down your recovery key in a safe place (may be on a paper), using which you will be able to by-pass the two factor.

Is making the email the single point of failure really necessary?
While it is nice that the support is offering to help out (even though I am not sure what account details they could ask for to confirm my claim), it should not even be necessary.

Suggestion:
Allow users to set up a way to bypass email verification (in case the user is ever locked out of their email) or another alternative 2FA.

I for example like to keep a duplicate of my most important TOTP in Aegis on an old phone. It would be great if TOTP would be an alternative option to secure Ente Auth.

Luckily I was able to restore access to my email, but I am sure not everyone is that fortunate.

I am grateful that you are offering us an amazing FOSS authenticator like Ente Auth and I understand that you don‘t want to compromise security or confuse the average user, but it would be great if we were given another option. Thanks.