More tightly control enabled/primary methods

[pkevan]

Currently it's possible to select and configure primary methods - make this non-configurable for users.

Enabled as an option should not be visible too (perhaps hard coded in the theme?)

[pkevan]

Related: #15

[iandunn]

make this non-configurable for users.

Once WebAuthn is added upstream, we'll have 3 methods available: WebAuthn, TOTP, and Backup Codes. I think WebAuthn and TOTP are both valid as primary, so won't we need a way to let folks choose between them?

I can see someone with WebAuthn wanting to use TOTP as their secondary instead of Backup Codes, but maybe that's an edge case, and being opinionated will simplify the UI/setup. I do think it's nice to allow all 3 to be activated, though, as extra protection against losing a key/phone.

Enabled as an option should not be visible too (perhaps hard coded in the theme?)

What do you mean by that?

[pkevan]

won't we need a way to let folks choose between them?

It probably depends if we want to consider giving them an option to choose, as in the first method presented to them on a 2FA login. Or if it's too much of an edge case.

Enabled as an option should not be visible too (perhaps hard coded in the theme?)
What do you mean by that?

The current UI has a checkbox for enabled as well as primary. It feels a little confusing to show them and doesn't fit with the suggested UI, so guiding a user through that process and hiding it was what I meant.

[iandunn]

guiding a user through that process and hiding it was what I meant.

yeah, i don't think we need primary in the UI. we can just force that to be webauthn (if set), then fallback to TOTP if not 👍🏻