Page MenuHomePhabricator

Possible issue with 2FA tokens
Closed, ResolvedPublic

Description

Off the back of me thinking my TOTP client had broken (T168047) I've now heard from other users that their tokens are being rejected.

Chrissymad has been having the same issues, and on trying her saved scratch codes still gets the Verification failed error.

Steps to reproduce

  1. Log out
  2. Log back in (username + password)
  3. Be asked for token, use Google Auth to retrieve
  4. Enter token, get Verification failed error
<TheresNoTime> Hi, having an issue with 2FA - trying to disable it on my account (https://en.wikipedia.org/wiki/Special:CentralAuth/There%27sNoTime) and it's not accepting my auth code Google Authenticator is providing. I'm signed in still, so can prove control of the account if necessary
<TheresNoTime> (also, should this request to disable it be logged on phab?)
<TheresNoTime> Appears I'm also now not logged into phab so can't log that
<Chrissymad> fwiw i'm also having similar problems to TheresNoTime :P 
<Chrissymad> yeah so now i have a big problem
<Chrissymad> i accidentally logged out 
<Chrissymad> and now i get the auth failed error too :( 
<Chrissymad> and now it logged me out on my phone 
<p858snake> Reedy: when you wake ^
<Chrissymad> i also tried resetting the qr code in my client and no dice 
<Chrissymad> i do have my scratch codes though 
<Chrissymad> annnnd scratch doesn't work either

Event Timeline

Peachey88 raised the priority of this task from High to Unbreak Now!.
Peachey88 edited projects, added SRE; removed MediaWiki-extensions-OATHAuth.
Peachey88 updated the task description. (Show Details)

Steps to reproduce

  1. Log out
  2. Log back in (username + password)
  3. Be asked for token, use Google Auth to retrieve
  4. Enter token, get Verification failed error

I just now logged in to enwiki using an account with 2FA enabled without any problem.

While I have no reason to think it's at all related, for completeness I note I use FreeOTP rather than Google Authenticator.

@Anomie for what it's worth Chrissymad uses FreeOTP as well. Thanks for clarity though, doesn't look like it's a direct issue with the 2FA functionality as there are other people I've mentioned this to who don't have issues..

I can't think of any reasons why only a few people would be affected, doubtful it's other environmental variables (browser etc)

Hi,

I just tried phabricator and wikitech and worked fine.
Disabled it on wikitech, logged out, logged in, enabled it again, logged out and logged in finely.

For the record I use Authy

Tgr lowered the priority of this task from Unbreak Now! to Medium.EditedJun 16 2017, 1:59 PM
Tgr added a subscriber: Tgr.

Works fine with Google Authenticator as well.

I can think of two things: your clock is really off (minutes, at least) or you have updated your 2FA credentials (disabled/reenabled, or maybe that somehow happened without notice due to some kind of bug) and you are trying to use the old ones. If you share one of your scratch tokens we can check (but make sure to do it in a separate paste and set visibility to the Security project).

For anyone who has made use of scratch codes and succeeded logging in: Please remember that because of T131788: Users should be notified when only two scratch tokens are left and T150601: Add option to generate new set of scratch codes it's not yet possible to get a new set of scratch codes and it won't tell you when you are running out :/

If you think you might be close to running out, disable and reenable 2FA to generate a new set of scratch codes.

@Tgr I'll show myself out, it was a timing issue with GA. For the future, the solution is;

Google Authenticator --> Settings --> Time correction for codes --> Sync now

(Chrissymad's issue is still outstanding)

Chrissymad still cannot use 2FA, and still gets the invalid token error on both the TOTP code and scratch codes. She has checked her phone's time and it is correct.

As mentioned above, I have pasted on her behalf a scratch code at P5588 (visible only to members of Security) which may be helpful?

I can confirm Anomie's comment : I can logout/login without problems on frwiki, with FreeOTP.

@Tgr I'll show myself out, it was a timing issue with GA. For the future, the solution is;

Google Authenticator --> Settings --> Time correction for codes --> Sync now

Great ! Perhaps you can add this somewhere on a Documentation page ?

As mentioned above, I have pasted on her behalf a scratch code at P5588 (visible only to members of Security) which may be helpful?

That's Chrissymad on one of the CentralAuth wikis (not wikitech), right? In that case, that code does not match the actual data. So either she successfully used that token in the past and got "scratched" from the DB (I can't think of an easy way to verify that), or (more likely) her 2FA credentials got updated somehow (maybe disabled/reenabled?). As long as it does not happen to other people it's more likely to be some accidental mistake than a software bug.

The 2FA reset procedure can be found at https://wikitech.wikimedia.org/wiki/Password_reset.

As mentioned above, I have pasted on her behalf a scratch code at P5588 (visible only to members of Security) which may be helpful?

That's Chrissymad on one of the CentralAuth wikis (not wikitech), right? In that case, that code does not match the actual data. So either she successfully used that token in the past and got "scratched" from the DB (I can't think of an easy way to verify that), or (more likely) her 2FA credentials got updated somehow (maybe disabled/reenabled?). As long as it does not happen to other people it's more likely to be some accidental mistake than a software bug.

I think we've had it happen a "few" times... Where people have saved the OTP and have put the secret into the phone, but it's not just worked..

I don't know how it's happened. Whether they've saved one, not finished the process, then enabled it again later, but not saved the new credentials.. Or if there's been a page refresh, and new details generated...

Mentioned in SAL (#wikimedia-operations) [2017-06-16T19:54:43Z] <Reedy> disabled cluster 2fa for Chrissymad for T168064 (confirmed by email)

Reedy claimed this task.