When deactivationg 2fa and activate it again (i.e. when changing device and can not export your 2fa-app-data), the backup codes stay the same.
So it seems you can use them further. Is that correct?
Hmm… I have not tried it. I would try one of the codes to be sure. If one works then the rest are probably fine. Normally my suggestion would be discard the old codes and make new ones.
Thats true, you have the option to revoke them and make new ones.
Thanks for the replies.
I´ve made a test -> works fine
Perhaps it is because of security reason necessary to discard the old codes. Then maybe someone can open an issue at Github.
We have one at https://github.com/nextcloud/server/issues/9036.
I’m still hesitant at adding this just so. There is still the scenario where the 2FA dips into the disabled state when you reset your TOTP configuration, for example. It’s a bit strange that you would lose your existing codes and have to generate new ones.
If for some reason a user’s 2FA has to be reset, you (the admin) should do it for both - tokens and backup codes…