Page MenuHomePhabricator

OATH allows you to validate OATH during the enable phase using your scratch token
Closed, ResolvedPublic

Description

While this is convenient for debugging, it is probably a giant trap that newbies could fall into.

Event Timeline

Change 322009 had a related patch set uploaded (by TheDJ):
Don't allow scratch tokens when enrolling for 2 auth.

https://gerrit.wikimedia.org/r/322009

Reedy suggests we might want a separate UI error for this situation:

How about: "You cannot use a scratch code to confirm two-factor authentication. Scratch codes are for backup and incidental use only. Please use a verification code from your code generator."

Better ideas are welcomed.

Change 322009 merged by jenkins-bot:
[mediawiki/extensions/OATHAuth@master] Don't allow scratch tokens when enrolling for 2 auth.

https://gerrit.wikimedia.org/r/322009

Reedy assigned this task to TheDJ.