Page MenuHomePhabricator
Create Task
Maniphest T131789

Survey how other web properties using 2FA handle account reset
Open, Needs TriagePublic
Actions

Description

Consider Google, Github, etc.

Event Timeline

dpatrick created this task.Apr 4 2016, 6:31 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 4 2016, 6:31 PM
Parent5446 subscribed.Apr 4 2016, 8:36 PM
  • Google: They allow login if you have one of any two-factors available (i.e., they support SMS and phone call as alternatives to TOTP). Additionally, when logging in with 2FA, Google allows you to mark a computer as "trusted". You can use a trusted computer that is still logged in to disable 2FA. Otherwise, you need to file an account recovery form, which Google responds to manually after a few business days. Things they ask on the form (I presume they have a further protocol beyond submission of the form, probably involving submission of government ID):
    • The date you created your account and the date you last accessed it (required)
    • Your security question, if enabled (optional, even if the question is enabled)
    • Up to five email addresses you frequently contact and up to five Gmail labels you created (optional)
    • Your first recovery email address (optional)
    • Other Google products you use and approximately when you started using them (optional)
    • An explanation of how you lost access to your account
    • Contact information for sending the password reset
  • Facebook: Submission of a government ID, or (strangely) you can take a picture of yourself holding a code that Facebook gives you.
  • GitHub, Apple, and Dropbox: Does not offer account recovery at all. You either need a phone with SMS for backup, or another backup token of some sort. If you lose all of your 2FA, you have lost access to your account permanently.
  • LastPass: They allow removal of 2FA from the account by just sending a confirmation email to the primary account email. If you lost access to your primary email, I am not sure what options are available.
  • Amazon Web Services: You have to file a support ticket to remove 2FA, after which they call you on the phone and ask for some trivial verification information (such as your credit card number on file).
dpatrick moved this task from Backlog to In Progress on the MediaWiki-extensions-OATHAuth board.May 27 2016, 2:29 AM
dpatrick claimed this task.May 27 2016, 2:50 AM
Parent5446 moved this task from In Progress to User Experience on the MediaWiki-extensions-OATHAuth board.Jun 3 2016, 9:45 PM
TheDJ subscribed.May 15 2017, 10:56 AM

FYI, An admin just lost their tokens, and he has no other way to identify himself to other functionaries, causing him to loose his account most likely.

https://en.wikipedia.org/wiki/Wikipedia:Administrators%27_noticeboard#I.27m_going_to_lose_this_account

Aklapper removed dpatrick as the assignee of this task.Feb 19 2018, 11:19 AM
RP88 subscribed.May 9 2018, 11:11 PM
Reedy renamed this task from Survey how other web properties using 2FA handle token/account reset to Survey how other web properties using 2FA handle account reset.Jan 1 2024, 8:51 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL