Check account age when considering backup code reminder

app/controllers/concerns/backup_code_reminder_concern.rb

@@ -13,6 +13,7 @@ def user_backup_codes_configured?
   end
 
   def user_last_signed_in_more_than_5_months_ago?
-    current_user.second_last_signed_in_at(since: 5.months.ago).blank?
+    current_user.created_at < 5.months.ago &&
+      current_user.second_last_signed_in_at(since: 5.months.ago).blank?
   end
 end

spec/controllers/concerns/backup_code_reminder_concern_spec.rb

@@ -29,24 +29,48 @@
     end
 
     context 'if the user has backup codes' do
-      let(:user) { create(:user, :fully_registered, :with_phone, :with_backup_code) }
+      context 'if the user account is less than 5 months old' do
+        let(:user) do
+          create(:user, :fully_registered, :with_phone, :with_backup_code, created_at: 1.day.ago)
+        end
 
-      context 'if the user has signed in more recently than 5 months ago' do
         before do
-          create(:event, user:, event_type: :sign_in_after_2fa, created_at: 4.months.ago)
           create(:event, user:, event_type: :sign_in_after_2fa, created_at: 1.minute.ago)
         end
 
         it { is_expected.to eq(false) }
       end
 
-      context 'if the user not signed in within the past 5 months' do
-        before do
-          create(:event, user:, event_type: :sign_in_after_2fa, created_at: 6.months.ago)
-          create(:event, user:, event_type: :sign_in_after_2fa, created_at: 1.minute.ago)
+      context 'if the user account is more than 5 months old' do
+        let(:user) do
+          create(:user, :fully_registered, :with_phone, :with_backup_code, created_at: 7.months.ago)
+        end
+
+        context 'if the user has signed in more recently than 5 months ago' do
+          before do
+            create(:event, user:, event_type: :sign_in_after_2fa, created_at: 4.months.ago)
+            create(:event, user:, event_type: :sign_in_after_2fa, created_at: 1.minute.ago)
+          end
+
+          it { is_expected.to eq(false) }
         end
 
-        it { is_expected.to eq(true) }
+        context 'if the user not signed in within the past 5 months' do
+          before do
+            create(:event, user:, event_type: :sign_in_after_2fa, created_at: 6.months.ago)
+            create(:event, user:, event_type: :sign_in_after_2fa, created_at: 1.minute.ago)
+          end
+
+          it { is_expected.to eq(true) }
+        end
+
+        context 'if the user is fully authenticating for the first time' do
+          before do
+            create(:event, user:, event_type: :sign_in_after_2fa, created_at: 1.minute.ago)
+          end
+
+          it { is_expected.to eq(true) }
+        end
       end
     end
   end

spec/features/two_factor_authentication/backup_code_sign_in_spec.rb

@@ -47,8 +47,13 @@
   end
 
   context 'when the user needs a backup code reminder' do
+    let(:user) do
+      create(:user, created_at: 10.months.ago, second_mfa_reminder_dismissed_at: 8.months.ago)
+    end
+
     let!(:event) do
       create(:event, user:, event_type: :sign_in_after_2fa, created_at: 9.months.ago)
+      create(:event, user:, event_type: :sign_in_after_2fa, created_at: 8.months.ago)
     end
 
     it 'redirects the user to the backup code reminder url and allows user to confirm possession' do