Page MenuHomePhabricator

OATH allows you to validate OATH during the enable phase using your scratch token
Closed, ResolvedPublic

Description

While this is convenient for debugging, it is probably a giant trap that newbies could fall into.

Event Timeline

Bawolff created this task.Nov 16 2016, 1:37 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 16 2016, 1:37 AM

Change 322009 had a related patch set uploaded (by TheDJ):
Don't allow scratch tokens when enrolling for 2 auth.

https://gerrit.wikimedia.org/r/322009

TheDJ added a subscriber: TheDJ.Nov 17 2016, 2:40 PM

Reedy suggests we might want a separate UI error for this situation:

How about: "You cannot use a scratch code to confirm two-factor authentication. Scratch codes are for backup and incidental use only. Please use a verification code from your code generator."

Better ideas are welcomed.

Change 322009 merged by jenkins-bot:
[mediawiki/extensions/OATHAuth@master] Don't allow scratch tokens when enrolling for 2 auth.

https://gerrit.wikimedia.org/r/322009

Reedy closed this task as Resolved.May 20 2017, 12:24 PM
Reedy assigned this task to TheDJ.