Description
The public metadata of recovery codes credential are a little bit strange. It looks like this (related java class is RecoveryAuthnCodesCredentialData) :
The thing is that:
-
Property
hashIterationsdoes not do anything. Should we remove it? Or do we rather still keep it for the future? -
Property
algorithmis hardcoded toRS512. It is little bit confusing to use "RSA" type algorithm here as there is not any real asymetric cryptography in place. Property is used only for hashing recovery codes in the DB, so recovery codes are not saved in plain-text. The actual algorithm used under the covers is just hashing of the generated credential bySHA-512. -
Label
Password datais incorrect. I am not 100% sure if this is admin console UI issue and it is same issue for other credentials (like for example OTP or WebAuthn). Maybe this is based on the "user label" and it it defaults toPassword dataif userLabel is not iffled? In that case, we should make sure that we assign some sensible "User label" to the recovery codes credential
If we want to improve this, we should make sure that there is backwards compatibility with the credentials generated in previous versions.