When creating a TOTP key, a new challenge is generated on every request. So when I have a typo in the code I cannot simply fix the typo. Instead I have to delete the secret from my authenticator and start from scratch. This is both annoying and non-obvious.

The same issue theoretically also exists for all other form views. However, the challenge on TOTP auth is constant (None) and for the two FIDO2 views there is not really a way to have validation errors.

The big downside to keeping the challenge across requests is that this would be yet another case of state management with potential for security-related bugs.

The big downside to keeping the challenge across requests is that this would be yet another case of state management with potential for security-related bugs.

This might not be so bad after all:

• There can already be zombie state in the session if a user does a GET request, but no POST request. Expanding this to "no successful POST request" is not that bad.
• Half of the challenge (state) is already stored in the session. Also storing the other half (data) is not that bad.
• The important bit is to always generate a new challenge on GET, and only keep the challenge on unsuccessful POST

Fixed by d3cbbdd