Expect otp_recovery to be hashed

Author: helmo

interface/web/login/otp.php

@@ -86,7 +86,7 @@ function finish_2fa_success($msg = '') {
 		die("Sorry, contact your administrator.");
 	}
 
-	if ($_SESSION['otp']['recovery'] == $_POST['code']) {
+	if (password_verify($_POST['code'], $user['otp_recovery'])) {
 		finish_2fa_success('via 2fa recovery code');
 	}
 	else {