[PaulAJ]

One option would be on the sign-up side: get them to "test" the recovery option. Keep bugging them about it every log-in until they do. This has two advantages:

1: This sends the message that you think it important, which might help them realise it is too.

2: They will have printed the QR code. Putting it somewhere safe is a small additional step.

[Klathmon]

Even then a backup code like that isn't going to work in all cases.

This is the same issue that electronic/cryptographic voting schemes run into.

You can't in many cases just tell your user "too bad you lost the code", you need a way for a user who has lost everything to get back in.

Shit happens, theft, floods, fires, other natural disasters, etc... And in those cases it's somewhat common for the user to lose their phone (with the 2nd factor app on it), as well as their backup codes.

Sure, a game might be able to get away with saying "sorry, you lost your 2fa and backup, so you are SOL" (the user won't be happy, but it's not the end of the world), but for a bank account? For a utility company? For your email account? Telling the user "so sorry you are fucked" is a very bad thing, and could even be illegal in some cases.

Forcing the user to verify that they printed it out and saved it can help cut down on the number of reset requests, but it won't completely solve the problem. You still need a way for someone who has lost everything to get the account back.

[naravara]

>Shit happens, theft, floods, fires, other natural disasters, etc... And in those cases it's somewhat common for the user to lose their phone (with the 2nd factor app on it), as well as their backup codes. >Sure, a game might be able to get away with saying "sorry, you lost your 2fa and backup, so you are SOL" (the user won't be happy, but it's not the end of the world), but for a bank account? For a utility company? For your email account? Telling the user "so sorry you are fucked" is a very bad thing, and could even be illegal in some cases.

In some cases you might be able to get away with using waiting periods. You can establish like a month or so and ask them to re-request after that with a recovery code you give them when they first make a request.

If nobody accesses the account in that time, you can have a bit more confidence that the request is legitimate and the account owner really has lost their credentials. And then when they re-request with their recovery code that's the authorization to start the reset.

In some cases you could tide them over with a temporary account that has limited privileges for the duration of the waiting period that can be merged back into the original account once its unlocked. You could probably even do some analysis behavior in the temp account to see how well it matches up with points of contact, frequency of use, word choice, location, etc. on the main account.

I wouldn't trust that for a bank or a primary email, you really need to verify identity for that. But for a utility company it might be ok.