Multiple 2FA registrations per account

[LeeteqXV]

Google Accounts is doing this "right", offering the added flexibility of accepting multiple 2FA registrations per account, both for TOTP and for U2F/SecurityKeys.

Twitter currently only offer 1 of each per account.

IMO, Mastodon should follow the example of being flexible, with customiseable settings to activate/deactive/reactivate each entry any time.

This will add extra "security" for people to be able to use multiple devices, also for account recovery without needing to contact the site admin/support for assistance.

[LeeteqXV]

Assuming that this limitation lies in the "devise-two-factor" project that Mastodon relies on, I filed this feature request over there:
Ref. ("Multiple 2FA registrations per account") -> devise-two-factor/devise-two-factor#151

[osfast]

+1
I would love to be able to use a security key like a yubikey

[Gargron]

You can use a Yubikey with Mastodon today but it's behind TOTP (I do not know why, it was not my decision, webauthn support was contributed by an outside collaborator).

[McPringle]

This feature would be great for shared accounts. We have an account for our Java User Group which is managed by two people. Unfortunately we can't use 2FA now.

[hinricht]

Can I add multiple hardware security tokens a.k.a. yubikeys ?
The 2fa hardware device setup page suggests so:

[hinricht]

I tried to add a second hardware security tokens a.k.a. yubikey to my account, both showed up in the list but only the second one worked and removed authentication from the first.
This is a serious limitation and UX issue, in case a user adds a device without testing properly, not knowing that by adding one the user looses access using the old one.
Please fix this soon, either by fixing the UI / not allowing multiple devices, or by properly supporting multiple devices.