Ask HN: What is a secure way to allow 2FA resets? 96 points by tvirelli on Dec 27, 2018 | hide | past | favorite | 74 comments I have 2FA on one of my web apps. Most users are using Google Authenticator which uses TOTP (Time-Based One-Time Password). On first login, we show them a QR code. We instruct them to save a copy of this QR code in the event they get a new phone or want to install a new 2FA app. However, I am running into a situation where users are not doing this. I can easily enough reset their account to show a QR code again on next login, but my question is: What is the safest way to "authenticate" them for a reset? I could do things like send a reset email to the email associated with the account, but I am just wondering what others are doing for situations like this. I want to make sure I am doing it as securely as possible. Thanks!







