Issue #17 - No MFA backup/recovery codes
Type: Feature Request
Severity: P2
Description
When MFA is enabled, no backup recovery codes are generated. If a user loses their TOTP device (phone lost/broken), they are permanently locked out of their account.
Expected Behavior
Generate 8-10 one-time-use backup codes when MFA is enabled. Store them hashed in the database. Allow users to use a backup code in place of a TOTP code during login.
Acceptance Criteria
Issue #17 - No MFA backup/recovery codes
Type: Feature Request
Severity: P2
Description
When MFA is enabled, no backup recovery codes are generated. If a user loses their TOTP device (phone lost/broken), they are permanently locked out of their account.
Expected Behavior
Generate 8-10 one-time-use backup codes when MFA is enabled. Store them hashed in the database. Allow users to use a backup code in place of a TOTP code during login.
Acceptance Criteria
POST /api/auth/login/mfaaccepts backup codes as an alternative