fixes and addition of backup codes

user_manual/user_2fa.rst

@@ -1,8 +1,8 @@
-=============================
-Using 2 Factor Authentication
-=============================
+===============================
+Using two-factor authentication
+===============================
 
-Two Factor Authentication (2FA) is a way to protect your Nextcloud account
+Ttwo-factor authentication (2FA) is a way to protect your Nextcloud account
 against unauthorized access. It works by requiring two different 'proofs' of
 your identity. For example, *something you know* (like a password) and 
 *something you have* like a physical key. Typically, the first factor is a
@@ -11,12 +11,12 @@ receive or a code you generate on your phone or another device
 (*something you have*). Nextcloud supports a variety of 2nd factors and
 more can be added.
 
-Once a Two Factor Authentication app has been enabled by your administrator
+Once a two-factor authentication app has been enabled by your administrator
 you can enable and configure it in :doc:`userpreferences`. Below you can
 see how.
 
-Configuring 2 Factor Authentication
-===================================
+Configuring two-factor authentication
+=====================================
 In your Personal Settings look up the Second-factor Auth setting. In this
 example this is TOTP, a Google Authenticator compatible time based code.
   
@@ -28,30 +28,45 @@ on your phone (or another device). Depending on the app or tool, type in the
 code or scan the QR and your device will show a login code which changes
 every 30 seconds.
 
-Logging in with 2 Factor Authentication
-=======================================
-After you have logged out and need to log in again, you will see a
-*2FA challenge*, a request to enter the TOTP code in your browser.
-  
-.. figure:: images/totp_login_1.png
-     :alt: TOTP challenge at login.
+Recovery codes in case you lost your 2nd factor
+===============================================
+You should always generate backup codes for 2FA. If your 2nd factor device
+gets stolen or is not working, you will be able to use one of these codes to
+unlock your account. It effectively functions as a backup 2nd factor. To
+get the backup codes, go to your Personal Settings and look under Second-factor
+Auth settings. Choose *Generate backup codes*.
 
-Click on *Authenticate with a TOTP app* and enter your code:
+.. figure:: images/2fa_backupcode_1.png
+     :alt: 2FA backup code generator
+
+You will then be presented with a list of one-time-use backup codes.
+     
+.. figure:: images/2fa_backupcode_2.png
+     :alt: 2FA backup codes
+
+You should put these codes in a safe spot, somewhere you can find them. Don't
+put them together with your 2nd factor like your mobile phone but make sure that
+if you lose one, you still have the other. Keeping them at home is probably
+the best thing to do.
+
+Logging in with two-factor authentication
+=========================================
+After you have logged out and need to log in again, you will see a request to
+enter the TOTP code in your browser. Just enter your code:
   
 .. figure:: images/totp_login_2.png
      :alt: Entering TOTP code at login.
 
 If the code was correct you will be redirected to your Nextcloud account.
-You will not have to enter the code again in this browser unless you clear
-the browser cookies.
 
 .. note:: Since the code is time-based, it’s important that your server’s and
 your smartphone’s clock are almost in sync. A time drift of a few seconds
 won’t be a problem.
 
-Using clients with 2 Factor Authentication
-==========================================
-Once you have enabled 2FA, your clients will no longer be able to connect
-unless they also have support for 2 Factor Authentication. However, you can
-generate device specific passwords for them. See :doc:`session_management` for
-more information on how to do this.
+Using client applications with two-factor authentication
+========================================================
+Once you have enabled 2FA, your clients will no longer be able to connect with
+just your password unless they also have support for two-factor authentication.
+To solve this, you should generate device specific passwords for them. See 
+:doc:`session_management` for more information on how to do this.
+