Possible issue with 2FA tokens
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	TNTPublic
	Jun 16 2017, 1:17 PM

Description

Off the back of me thinking my TOTP client had broken (T168047) I've now heard from other users that their tokens are being rejected.

Chrissymad has been having the same issues, and on trying her saved scratch codes still gets the Verification failed error.

Steps to reproduce

Log out
Log back in (username + password)
Be asked for token, use Google Auth to retrieve
Enter token, get Verification failed error

<TheresNoTime> Hi, having an issue with 2FA - trying to disable it on my account (https://en.wikipedia.org/wiki/Special:CentralAuth/There%27sNoTime) and it's not accepting my auth code Google Authenticator is providing. I'm signed in still, so can prove control of the account if necessary
<TheresNoTime> (also, should this request to disable it be logged on phab?)
<TheresNoTime> Appears I'm also now not logged into phab so can't log that
<Chrissymad> fwiw i'm also having similar problems to TheresNoTime :P 
<Chrissymad> yeah so now i have a big problem
<Chrissymad> i accidentally logged out 
<Chrissymad> and now i get the auth failed error too :( 
<Chrissymad> and now it logged me out on my phone 
<p858snake> Reedy: when you wake ^
<Chrissymad> i also tried resetting the qr code in my client and no dice 
<Chrissymad> i do have my scratch codes though 
<Chrissymad> annnnd scratch doesn't work either

Related Objects

Mentioned In: T169332: 2FA reset for Samtar Wikitech account
T168047: Reset 2FA for User:There'sNoTime
Mentioned Here: T131788: Users should be notified when only two scratch tokens are left
T150601: Add option to generate new set of scratch codes
T168047: Reset 2FA for User:There'sNoTime

Event Timeline

TNTPublic created this task.Jun 16 2017, 1:17 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 16 2017, 1:17 PM

K6ka added a subscriber: K6ka.Jun 16 2017, 1:28 PM

DatGuy added subscribers: DatGuy, Praxidicae.Jun 16 2017, 1:28 PM

Peachey88 triaged this task as High priority.Jun 16 2017, 1:34 PM

Peachey88 raised the priority of this task from High to Unbreak Now!.

Peachey88 edited projects, added SRE; removed MediaWiki-extensions-OATHAuth.

Peachey88 updated the task description. (Show Details)

Restricted Application added subscribers: Jay8g, TerraCodes. · View Herald TranscriptJun 16 2017, 1:34 PM

Paladox added a project: MediaWiki-extensions-CentralAuth.Jun 16 2017, 1:35 PM

Paladox added a subscriber: Paladox.

Steps to reproduce

Log out

Log back in (username + password)

Be asked for token, use Google Auth to retrieve

Enter token, get Verification failed error

I just now logged in to enwiki using an account with 2FA enabled without any problem.

While I have no reason to think it's at all related, for completeness I note I use FreeOTP rather than Google Authenticator.

@Anomie for what it's worth Chrissymad uses FreeOTP as well. Thanks for clarity though, doesn't look like it's a direct issue with the 2FA functionality as there are other people I've mentioned this to who don't have issues..

I can't think of any reasons why only a few people would be affected, doubtful it's other environmental variables (browser etc)

Gestrid added a subscriber: Gestrid.Jun 16 2017, 1:48 PM

Hi,

I just tried phabricator and wikitech and worked fine.
Disabled it on wikitech, logged out, logged in, enabled it again, logged out and logged in finely.

For the record I use Authy

Works fine with Google Authenticator as well.

I can think of two things: your clock is really off (minutes, at least) or you have updated your 2FA credentials (disabled/reenabled, or maybe that somehow happened without notice due to some kind of bug) and you are trying to use the old ones. If you share one of your scratch tokens we can check (but make sure to do it in a separate paste and set visibility to the Security project).

For anyone who has made use of scratch codes and succeeded logging in: Please remember that because of T131788: Users should be notified when only two scratch tokens are left and T150601: Add option to generate new set of scratch codes it's not yet possible to get a new set of scratch codes and it won't tell you when you are running out :/

If you think you might be close to running out, disable and reenable 2FA to generate a new set of scratch codes.

@Tgr I'll show myself out, it was a timing issue with GA. For the future, the solution is;

Google Authenticator --> Settings --> Time correction for codes --> Sync now

(Chrissymad's issue is still outstanding)

TNTPublic mentioned this in T168047: Reset 2FA for User:There'sNoTime.Jun 16 2017, 2:08 PM

TheresNoTime added a subscriber: TheresNoTime.Jun 16 2017, 2:51 PM

Chrissymad still cannot use 2FA, and still gets the invalid token error on both the TOTP code and scratch codes. She has checked her phone's time and it is correct.

As mentioned above, I have pasted on her behalf a scratch code at P5588 (visible only to members of Security) which may be helpful?

I can confirm Anomie's comment : I can logout/login without problems on frwiki, with FreeOTP.

In T168064#3354905, @TNTPublic wrote:

@Tgr I'll show myself out, it was a timing issue with GA. For the future, the solution is;

Google Authenticator --> Settings --> Time correction for codes --> Sync now

Great ! Perhaps you can add this somewhere on a Documentation page ?

In T168064#3355131, @Samtar wrote:

As mentioned above, I have pasted on her behalf a scratch code at P5588 (visible only to members of Security) which may be helpful?

That's Chrissymad on one of the CentralAuth wikis (not wikitech), right? In that case, that code does not match the actual data. So either she successfully used that token in the past and got "scratched" from the DB (I can't think of an easy way to verify that), or (more likely) her 2FA credentials got updated somehow (maybe disabled/reenabled?). As long as it does not happen to other people it's more likely to be some accidental mistake than a software bug.

The 2FA reset procedure can be found at https://wikitech.wikimedia.org/wiki/Password_reset.

Legoktm edited projects, added WMF-General-or-Unknown; removed MediaWiki-extensions-CentralAuth, SRE.Jun 16 2017, 5:12 PM

Dane2007 added a subscriber: Dane2007.Jun 16 2017, 5:23 PM

In T168064#3355386, @Tgr wrote:

In T168064#3355131, @Samtar wrote:

As mentioned above, I have pasted on her behalf a scratch code at P5588 (visible only to members of Security) which may be helpful?

That's Chrissymad on one of the CentralAuth wikis (not wikitech), right? In that case, that code does not match the actual data. So either she successfully used that token in the past and got "scratched" from the DB (I can't think of an easy way to verify that), or (more likely) her 2FA credentials got updated somehow (maybe disabled/reenabled?). As long as it does not happen to other people it's more likely to be some accidental mistake than a software bug.

I think we've had it happen a "few" times... Where people have saved the OTP and have put the secret into the phone, but it's not just worked..

I don't know how it's happened. Whether they've saved one, not finished the process, then enabled it again later, but not saved the new credentials.. Or if there's been a page refresh, and new details generated...

Mentioned in SAL (#wikimedia-operations) [2017-06-16T19:54:43Z] <Reedy> disabled cluster 2fa for Chrissymad for T168064 (confirmed by email)

Reedy closed this task as Resolved.Jun 16 2017, 9:30 PM

Reedy claimed this task.

TheresNoTime mentioned this in T169332: 2FA reset for Samtar Wikitech account.Jun 30 2017, 1:11 PM

Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:42 PM

Possible issue with 2FA tokensClosed, ResolvedPublicActions

Description

Related Objects

Event Timeline

Possible issue with 2FA tokens
Closed, ResolvedPublic
Actions