Page MenuHomePhabricator

Users should be notified when only two scratch tokens are left
Open, Needs TriagePublic

Description

Probably should be done using Echo

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 4 2016, 6:29 PM
Reedy updated the task description. (Show Details)Sep 16 2016, 11:01 PM
Reedy added a subscriber: Reedy.Sep 16 2016, 11:52 PM

In OATHAuthKey.php...

		// See if the user is using a scratch token
		if ( !$retval ) {
			$length = count( $this->scratchTokens );
			// Detect condition where all scratch tokens have been used
			if ( $length == 1 && "" === $this->scratchTokens[0] ) {
				$retval = false;
			} else {
				for ( $i = 0; $i < $length; $i++ ) {
					if ( $token === $this->scratchTokens[$i] ) {
						// If there is a scratch token, remove it from the scratch token list
						unset( $this->scratchTokens[$i] );
						$oathrepo = OATHAuthHooks::getOATHUserRepository();
						$user->setKey( $this );
						$oathrepo->persist( $user );
						// Only return true if we removed it from the database
						$retval = self::SCRATCH_TOKEN;
						break;
					}
				}
			}
		}

It should just need the notification stuff plumbing in (after being designed?) somewhere around there

Should there also be a way to generate a new set of recovery tokens, or is the "fix" for that to disable and then re-enable OATH?

From a user experience POV it would be nice to be able to list the tokens at any time as well. Google allows this on https://myaccount.google.com/security/signinoptions/two-step-verification and it has been handy in the past for me.

Should there also be a way to generate a new set of recovery tokens, or is the "fix" for that to disable and then re-enable OATH?

Yeah. Having to disable and re-enable is a bad user experience for sure.

From a user experience POV it would be nice to be able to list the tokens at any time as well. Google allows this on https://myaccount.google.com/security/signinoptions/two-step-verification and it has been handy in the past for me.

@csteipp can maybe comment more, but I don't know if I agree with this. The backup codes are a shared secret between the server and user, and we should avoid communicating shared secrets as much as possible. It'd be better to only show the codes once, and if the user wants to see them again, just generate brand new codes.

It'd be better to only show the codes once, and if the user wants to see them again, just generate brand new codes.

I'd be fine with that solution.

This comment was removed by Xaosflux.
TheDJ added a subscriber: TheDJ.Nov 13 2016, 9:44 AM
mxn added a subscriber: mxn.Nov 6 2017, 6:27 AM
Restricted Application added a project: Growth-Team. · View Herald TranscriptDec 6 2018, 6:24 PM

A better solution is for MW to just list out the remaining scratch codes left.

Reedy added a comment.Dec 9 2018, 5:15 PM

A better solution is for MW to just list out the remaining scratch codes left.

I'm not sure how a list somewhere a user isn't going to probably look is a better solution than a notification that they are much more likely to see

Catrope moved this task from Inbox to External on the Growth-Team board.Jan 8 2019, 2:16 AM