There seems to be a serious issue when a Two-Factor Authentication device is changed; it seems the change is not persisted, and my old token stays valid instead of the new one.
Earlier in the year I've transitioned from Authy to 1Password for my 2FA. So, naturally, I went ahead and disabled 2FA, then reenabled it again with a *fresh time-based key* by going in my Atlassian Account "Security" tab. It accepted the newly generated code, so I saved the recovery key locally, thinking all was good.
Cue to a couple weeks later, when my device auth expires. It asks for a 2FA login, and I try the new 1Password codes: nothing. I try about a dozen times, to no effect. On a hunch, I try my *old* 2FA token in Authy, which I luckily still have, and bingo: it works!
I've been through this cycle about 4 times now, and it seems that the Atlassian Account 2FA flow refuses to persist my changes. This has happened consistently to me over the past couple months.
If it's not just me, this seems like a serious potential security issue: imagine if my phone with an old authenticator was stolen, and this person could log in using a token that I was sure I had removed from my account?
Has anyone else have this problem before? I couldn't reach out to Atlassian support since my account is free.
