Page MenuHomePhabricator

Possible issue with 2FA tokens
Closed, ResolvedPublic

Description

Off the back of me thinking my TOTP client had broken (T168047) I've now heard from other users that their tokens are being rejected.

Chrissymad has been having the same issues, and on trying her saved scratch codes still gets the Verification failed error.

Steps to reproduce

  1. Log out
  2. Log back in (username + password)
  3. Be asked for token, use Google Auth to retrieve
  4. Enter token, get Verification failed error
<TheresNoTime> Hi, having an issue with 2FA - trying to disable it on my account (https://en.wikipedia.org/wiki/Special:CentralAuth/There%27sNoTime) and it's not accepting my auth code Google Authenticator is providing. I'm signed in still, so can prove control of the account if necessary
<TheresNoTime> (also, should this request to disable it be logged on phab?)
<TheresNoTime> Appears I'm also now not logged into phab so can't log that
<Chrissymad> fwiw i'm also having similar problems to TheresNoTime :P 
<Chrissymad> yeah so now i have a big problem
<Chrissymad> i accidentally logged out 
<Chrissymad> and now i get the auth failed error too :( 
<Chrissymad> and now it logged me out on my phone 
<p858snake> Reedy: when you wake ^
<Chrissymad> i also tried resetting the qr code in my client and no dice 
<Chrissymad> i do have my scratch codes though 
<Chrissymad> annnnd scratch doesn't work either

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 16 2017, 1:17 PM
K6ka added a subscriber: K6ka.Jun 16 2017, 1:28 PM
Peachey88 triaged this task as High priority.Jun 16 2017, 1:34 PM
Peachey88 raised the priority of this task from High to Unbreak Now!.
Peachey88 edited projects, added Operations; removed MediaWiki-extensions-OATHAuth.
Peachey88 updated the task description. (Show Details)
Restricted Application added subscribers: Jay8g, TerraCodes. · View Herald TranscriptJun 16 2017, 1:34 PM
Anomie added a subscriber: Anomie.Jun 16 2017, 1:45 PM

Steps to reproduce

  1. Log out
  2. Log back in (username + password)
  3. Be asked for token, use Google Auth to retrieve
  4. Enter token, get Verification failed error

I just now logged in to enwiki using an account with 2FA enabled without any problem.

While I have no reason to think it's at all related, for completeness I note I use FreeOTP rather than Google Authenticator.

@Anomie for what it's worth Chrissymad uses FreeOTP as well. Thanks for clarity though, doesn't look like it's a direct issue with the 2FA functionality as there are other people I've mentioned this to who don't have issues..

I can't think of any reasons why only a few people would be affected, doubtful it's other environmental variables (browser etc)

Hi,

I just tried phabricator and wikitech and worked fine.
Disabled it on wikitech, logged out, logged in, enabled it again, logged out and logged in finely.

For the record I use Authy

Tgr lowered the priority of this task from Unbreak Now! to Normal.EditedJun 16 2017, 1:59 PM
Tgr added a subscriber: Tgr.

Works fine with Google Authenticator as well.

I can think of two things: your clock is really off (minutes, at least) or you have updated your 2FA credentials (disabled/reenabled, or maybe that somehow happened without notice due to some kind of bug) and you are trying to use the old ones. If you share one of your scratch tokens we can check (but make sure to do it in a separate paste and set visibility to the Security project).

TheDJ added a subscriber: TheDJ.Jun 16 2017, 2:03 PM

For anyone who has made use of scratch codes and succeeded logging in: Please remember that because of T131788: Users should be notified when only two scratch tokens are left and T150601: Add option to generate new set of scratch codes it's not yet possible to get a new set of scratch codes and it won't tell you when you are running out :/

If you think you might be close to running out, disable and reenable 2FA to generate a new set of scratch codes.

TNTPublic added a comment.EditedJun 16 2017, 2:06 PM

@Tgr I'll show myself out, it was a timing issue with GA. For the future, the solution is;

Google Authenticator --> Settings --> Time correction for codes --> Sync now

(Chrissymad's issue is still outstanding)

Samtar added a subscriber: Samtar.Jun 16 2017, 2:51 PM

Chrissymad still cannot use 2FA, and still gets the invalid token error on both the TOTP code and scratch codes. She has checked her phone's time and it is correct.

As mentioned above, I have pasted on her behalf a scratch code at P5588 (visible only to members of Security) which may be helpful?

I can confirm Anomie's comment : I can logout/login without problems on frwiki, with FreeOTP.

@Tgr I'll show myself out, it was a timing issue with GA. For the future, the solution is;
Google Authenticator --> Settings --> Time correction for codes --> Sync now

Great ! Perhaps you can add this somewhere on a Documentation page ?

Tgr added a comment.Jun 16 2017, 5:02 PM

As mentioned above, I have pasted on her behalf a scratch code at P5588 (visible only to members of Security) which may be helpful?

That's Chrissymad on one of the CentralAuth wikis (not wikitech), right? In that case, that code does not match the actual data. So either she successfully used that token in the past and got "scratched" from the DB (I can't think of an easy way to verify that), or (more likely) her 2FA credentials got updated somehow (maybe disabled/reenabled?). As long as it does not happen to other people it's more likely to be some accidental mistake than a software bug.

The 2FA reset procedure can be found at https://wikitech.wikimedia.org/wiki/Password_reset.

Reedy added a subscriber: Reedy.Jun 16 2017, 7:31 PM

As mentioned above, I have pasted on her behalf a scratch code at P5588 (visible only to members of Security) which may be helpful?

That's Chrissymad on one of the CentralAuth wikis (not wikitech), right? In that case, that code does not match the actual data. So either she successfully used that token in the past and got "scratched" from the DB (I can't think of an easy way to verify that), or (more likely) her 2FA credentials got updated somehow (maybe disabled/reenabled?). As long as it does not happen to other people it's more likely to be some accidental mistake than a software bug.

I think we've had it happen a "few" times... Where people have saved the OTP and have put the secret into the phone, but it's not just worked..

I don't know how it's happened. Whether they've saved one, not finished the process, then enabled it again later, but not saved the new credentials.. Or if there's been a page refresh, and new details generated...

Mentioned in SAL (#wikimedia-operations) [2017-06-16T19:54:43Z] <Reedy> disabled cluster 2fa for Chrissymad for T168064 (confirmed by email)

Reedy closed this task as Resolved.Jun 16 2017, 9:30 PM
Reedy claimed this task.