When attempting to setup multi-factor authentication (MFA), if the six digit pin is entered incorrectly, the QR code refreshes/changes so you have to rescan the QR code again to generate a new MFA token and enter that one. This also occurs if you’re setting up a second MFA token and the label field becomes required and don’t type in a label, it will refresh/change the QR code.
There’s a couple issues with this from a user experience perspective:
- The QR code changing can be very subtle, so it’s not obvious it changes and the user continues trying to enter in their six digit pin and it doesn’t work.
- A new MFA token is generated with each QR code scan, so if a user has a couple of failed attempts, they’ll end up with multiple MFA tokens in their MFA app which can lead to confusion.
I don’t see any option for this from the UI, but is there an easy way to disable the QR code from changing? Also, what is the security concern with it not changing on a failed attempt during set up, especially if it’s just a label that wasn’t typed in?