Two Factor Authentication and Back up codes

Question

I have successfully implemented two factor authentication with PHP in my web application. Just wondering how Facebook or even Google handle the Back Up code scenario (In case the users have lost their phone or do not have it on them).

I have a rough idea on how to do it but its separate to the 2FA module it self. What i thought was to store random generated backup codes against each user and give priority to those codes instead of the ones that are generated from the 2fa code generator.

Am i right? Or is there a better way to this? Any help or ideas are really appreciated.

Answer 1

You've got it correct. You simply check "Is this code the correct one generated by the 2fa code generator OR is this code one of the backup codes?". This page shows Google's UI for it.

It would also be acceptable to just have a "I don't have my phone; Log me in with a backup code" link that took them to a backup code login page.

It is important to require the backup code and their password, though!

Also make sure that backup codes are one time use only - you do not want people just to memorize one and keep reusing it like a second password.