DEV: increase the length of backup codes

16 ^ 8 though not tiny but is a workable search space in the event of
breach, 16 ^ 16 is not.

app/models/concerns/second_factor_manager.rb

@@ -191,7 +191,7 @@ module SecondFactorManager
   def generate_backup_codes
     codes = []
     10.times do
-      codes << SecureRandom.hex(8)
+      codes << SecureRandom.hex(16)
     end
 
     codes_json = codes.map do |code|

spec/requests/users_controller_spec.rb

@@ -3548,7 +3548,8 @@ describe UsersController do
 
           response_body = JSON.parse(response.body)
 
-          expect(response_body['backup_codes'].length).to be(10)
+          # we use SecureRandom.hex(16) for backup codes, ensure this continues to be the case
+          expect(response_body['backup_codes'].map(&:length)).to eq([32] * 10)
         end
       end
     end