Switching Authenticators
It would be nice to be able to change my Authenticator (TOPT) settings without having to first delete all of my 2FA keys. I simply want to switch from using Authy Authenticator to a different Authenticator app, but to do so I have to first turn off 2FA, which deletes all my 2FA keys. Most apps allow me to simply delete Authenticator app as a 2FA option, and then re-add it.
-
Peter S commented
My use case is that I initially set up TOTP-based multi-factor authentication, and I did not save the QR code because I did not realize that I would not be able to access it again or that a single, shared QR code had to be used for all authenticator apps.
Years passed, and I've now gotten a new phone. In the interim, I registered multiple security keys, including one off-site backup, and I cannot change the TOTP authenticator without first deleting all security keys, which I would then have to re-add.
Another use case is wanting to individually revoke authenticator apps that have been compromised. If I lose a hardware security key, Proton allows me to individually revoke that security key; but if I lose a phone, or a software vulnerability exposes the TOTP secrets held on that device, I can only revoke that TOTP secret by turning MFA entirely off and back on, deleting all existing security keys in the process.
Being able to individually add and revoke TOTP authenticator apps would resolve both of the above use cases. Being able to re-initialize TOTP authentication without deleting existing hardware security keys would satisfy the first use case but not the second one.
It seems as though the inability to disable TOTP MFA without turning off (and deleting key registrations for) security key MFA is intentional, forcing users to have a backup authentication method, but the current implementation has in fact achieved the opposite effect, limiting my access to backup authentication methods until I make time to collect my backup security keys to re-register them, because I do not routinely carry my old phone with me.