Page MenuHomePhabricator
Create Task
Maniphest T189924

Lost two-factor auth should explain alternative reset methods
Closed, ResolvedPublic
Actions

Assigned To
Reedy
Authored By
awight
Mar 17 2018, 4:54 AM
Tags
Referenced Files
F41659104: Screenshot 2024-01-08 at 16.45.41.png
Jan 8 2024, 4:46 PM
F41659013: Screenshot 2024-01-08 at 16.29.24.png
Jan 8 2024, 4:35 PM
F15657416: Screen Shot 2018-03-16 at 11.46.34 PM.png
Mar 17 2018, 4:54 AM
Subscribers
Aklapper
awight
bd808
Chicocvenancio
Reedy

Description

Hi, I lost access to my Authenticator app, and wikitech impossibly requires a code in order to disable 2FA, with no alternative methods provided.

Screen Shot 2018-03-16 at 11.46.34 PM.png (362×1 px, 40 KB)

One improvement would be to expand the form help text, and suggest that scratch codes e.g. "XXXX YYYY ZZZZ AAAA" can be pasted in place of device codes, in case of a lost device.

Update

I found my scratch codes, so all is good for me personally. Turning this task into feedback.

Details

SubjectRepoBranchLines +/-
Add override for oathauth-hintmediawiki/extensions/WikimediaMessagesmaster+6 -2
TOTPDisableForm: Add a hint message that user can use recovery tokensmediawiki/extensions/OATHAuthREL1_40+6 -3
TOTPDisableForm: Add a hint message that user can use recovery tokensmediawiki/extensions/OATHAuthREL1_39+6 -3
TOTPDisableForm: Add a hint message that user can use recovery tokensmediawiki/extensions/OATHAuthREL1_41+6 -3
TOTPDisableForm: Add a hint message that user can use recovery tokensmediawiki/extensions/OATHAuthmaster+6 -3
Customize query in gerrit

Related Objects

Event Timeline

awight created this task.Mar 17 2018, 4:54 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 17 2018, 4:54 AM
Peachey88 added a project: cloud-services-team.Mar 17 2018, 4:58 AM
awight renamed this task from Lost two-factor auth for awight on wikitech to Lost two-factor auth on wikitech should explain alternative reset methods.Mar 17 2018, 4:58 AM
awight added a project: acl*security.
awight updated the task description. (Show Details)
Aklapper removed a project: acl*security.Mar 17 2018, 9:21 AM
bd808 edited projects, added MediaWiki-extensions-OATHAuth; removed cloud-services-team, wikitech.wikimedia.org.Mar 20 2018, 5:22 AM
bd808 subscribed.

This is a general OATH documentation request, not a wikitech specific issue.

Reedy renamed this task from Lost two-factor auth on wikitech should explain alternative reset methods to Lost two-factor auth should explain alternative reset methods.Mar 22 2018, 3:25 PM
Chicocvenancio subscribed.Mar 22 2018, 3:26 PM
Reedy added a project: Documentation.May 4 2018, 9:41 PM
srodlund moved this task from Backlog to Completed, Blocked, Wrong Category, Refinement Needed, or Older Needs Review on the Documentation board.Aug 16 2018, 5:48 PM
Reedy moved this task from Backlog to User Experience on the MediaWiki-extensions-OATHAuth board.Jul 5 2019, 9:59 PM
Reedy subscribed.EditedJan 8 2024, 4:35 PM

I note that login isn't much better for suggesting recovery tokens etc...

Screenshot 2024-01-08 at 16.29.24.png (290×383 px, 15 KB)

Can potentially use oathauth-auth-token-help on login...

gerritbot added a comment.Jan 8 2024, 4:41 PM

Change 988674 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@master] TOTPDisableForm: Add a hint message that user can use recovery tokens

https://gerrit.wikimedia.org/r/988674

gerritbot added a project: Patch-For-Review.Jan 8 2024, 4:41 PM
Reedy added a comment.Jan 8 2024, 4:46 PM

If we use 'help' instead of a different field, we get it showing in light grey (for disable), which I think is probably better...

Screenshot 2024-01-08 at 16.45.41.png (344×849 px, 44 KB)

Ignore the duplication, just for demo purposes

Reedy mentioned this in T354539: Help field from TOTPAuthenticationRequest isn't actually shown....Jan 8 2024, 4:49 PM
Reedy added a comment.Jan 8 2024, 5:19 PM

And we probably want a WMF override to link to https://meta.wikimedia.org/wiki/Help:Two-factor_authentication#Disabling_two-factor_authentication and/or https://meta.wikimedia.org/wiki/Help:Two-factor_authentication#Disabling_two-factor_authentication

gerritbot added a comment.Jan 11 2024, 3:02 PM

Change 989840 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/WikimediaMessages@master] Add override for oathauth-hint

https://gerrit.wikimedia.org/r/989840

gerritbot added a comment.Jan 11 2024, 3:38 PM

Change 988674 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] TOTPDisableForm: Add a hint message that user can use recovery tokens

https://gerrit.wikimedia.org/r/988674

gerritbot added a comment.Jan 11 2024, 3:40 PM

Change 989851 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@REL1_41] TOTPDisableForm: Add a hint message that user can use recovery tokens

https://gerrit.wikimedia.org/r/989851

gerritbot added a comment.Jan 11 2024, 3:41 PM

Change 989875 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@REL1_40] TOTPDisableForm: Add a hint message that user can use recovery tokens

https://gerrit.wikimedia.org/r/989875

gerritbot added a comment.Jan 11 2024, 3:41 PM

Change 989876 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@REL1_39] TOTPDisableForm: Add a hint message that user can use recovery tokens

https://gerrit.wikimedia.org/r/989876

gerritbot added a comment.Jan 11 2024, 3:48 PM

Change 989851 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@REL1_41] TOTPDisableForm: Add a hint message that user can use recovery tokens

https://gerrit.wikimedia.org/r/989851

gerritbot added a comment.Jan 11 2024, 3:48 PM

Change 989876 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@REL1_39] TOTPDisableForm: Add a hint message that user can use recovery tokens

https://gerrit.wikimedia.org/r/989876

gerritbot added a comment.Jan 11 2024, 3:48 PM

Change 989875 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@REL1_40] TOTPDisableForm: Add a hint message that user can use recovery tokens

https://gerrit.wikimedia.org/r/989875

ReleaseTaggerBot added a project: MW-1.42-notes (1.42.0-wmf.14; 2024-01-16).Jan 11 2024, 6:00 PM
gerritbot added a comment.Jan 12 2024, 3:42 PM

Change 989840 merged by jenkins-bot:

[mediawiki/extensions/WikimediaMessages@master] Add override for oathauth-hint

https://gerrit.wikimedia.org/r/989840

Reedy closed this task as Resolved.Jan 12 2024, 4:03 PM
Reedy claimed this task.
Maintenance_bot removed a project: Patch-For-Review.Jan 12 2024, 4:30 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL