Escalating per past similar requests as they may require sharing or revealing private data. Please revert if you disagree. Thanks!

I'm at Wikimania and so kind of stretched a bit thin here. @GoldRingChip - have you tried the steps here?

Yes, I’ve tried. But the problem is that I can’t use TFA and it needs to work to disable it. I have a Token, a Secret Key, and 4 scratch codes. All the scratch codes have been used, and the TFA process doesn’t send a new code to my device.

——
Mark Adler

How's Wikimania going? :)

In T172878#3513053, @GoldRingChip wrote:

Yes, I’ve tried. But the problem is that I can’t use TFA and it needs to work to disable it. I have a Token, a Secret Key, and 4 scratch codes. All the scratch codes have been used, and the TFA process doesn’t send a new code to my device.

——
Mark Adler

Codes dont get sent to your device, they are generated by an app on your device

In T172878#3513097, @Bawolff wrote:

Codes dont get sent to your device, they are generated by an app on your device

I see. But I don't know when I made that code and what app was used. I've got Google Authenticator on my iPhone, but the code it generates does not work on the TFA here.

I guess if ops can confirm that this is a valid request, anyone with access to terbium can run the maintenance script to disable the OAuth row for the user so he can recover the account.

This is not a question of infrastructure, so anyone with deployment access
can process the request.

As a steward, Marco can help to establish the request is legit.

@Dereckson I do not think I am entitled to make such assesments. I'd prefer Trust-and-Safety to decide that, for legal reasons. What I can say is that @GoldRingChip Phabricator account is linked to his SUL account via OAuth login so at least we know that the Phabricator account is the same as the Wikipedia account. That's a good start, but I'm not sure if that's enough. In any case please let me know if I can be of any assistance. Regards.

I have posted requests on my en.wikipedia.org page (https://en.wikipedia.org/wiki/User:GoldRingChip) to indicate who I am. I have access to my Watchlist token, but I doubt that will help. What else can I do to prove I'm legit? Obviously, I want to keep this account secure. I've been a WP user for twelve years and I'm an Admin, so I really don't want to have to start over.

If all the scratch codes have been used, a reset is indeed needed.

The pre-SUL e-mail address on en.wiki and the current e-mail address on the SUL account match.

I'm going to send you a challenge by mail, you can repeat it here. With e-mail + Phabricator auth, we'll be able to accept the request as legit.

Here's the challenge:

umqJCOexhP87lJMBMYRu4oWFozjB4urlma4TyxCY8miCitvGBwKRFODfTj0BEl1

@GoldRingChip the factor has been disabled.

Please note in the future scratch codes are precious, expirable resources and if you need to use last the one, it's probably best to disable yourself 2FA and reenable it, to get new scratch codes.

In T172878#3511957, @MarcoAurelio wrote:

Escalating per past similar requests as they may require sharing or revealing private data. Please revert if you disagree. Thanks!

I'd prefer more traceability of this kind of requests, so if someone tries one day by social engineering to get the account of an user, the real user can see the request (if it's a regular user of Phabricator at least).
Yet, you're right, there is a risk of private data disclosure, so your action was probably opportune.

@Dereckson Once tasks are resolved maybe we can make them public. Notwithstanding since Phabricator supports different levels of visibility, maybe instead of making it fully public, we could just restrict its visibility to registered users. Another idea is maybe keeping the task restricted but making a list somewhere (officewiki?) of 2FA reset requests with links to the username and ticket and its results.

I am glad that @GoldRingChip has had his account recovered :)

Is this task resolved?

In the end, no private info was revealed, so this can be public again?

No qualms from me @Bawolff.