Page MenuHomePhabricator
Create Task
Maniphest T204682

Wikitech 2FA does not appear to allow recovery with recovery codes
Closed, InvalidPublic
Actions

Description

I still have my scratch codes for my Wikitech account's 2FA but am unable to use them to recover my account because there is no obvious place to use them. The interface will not let me enter anything other than a six-digit authentication code, which I am not currently able to generate correctly.

Screen Shot 2018-09-18 at 6.46.35 PM.png (864×616 px, 58 KB)

See also T158153: Consider changing recovery codes to use six digits

Related Objects

Event Timeline

Jc86035 created this task.Sep 18 2018, 10:45 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 18 2018, 10:45 AM
Jc86035 triaged this task as Unbreak Now! priority.Sep 18 2018, 10:46 AM

(Sorry for abusing the unbreak priority but I wouldn't want this to get lost.)

Restricted Application added subscribers: Liuxinyu970226, TerraCodes. · View Herald TranscriptSep 18 2018, 10:46 AM
Jc86035 renamed this task from Wikitech 2FA does not appear to support scratch codes to Wikitech 2FA does not appear to allow recovery with scratch codes.Sep 18 2018, 10:47 AM
Jc86035 updated the task description. (Show Details)
Jc86035 added projects: wikitech.wikimedia.org, Toolforge.Sep 18 2018, 10:52 AM
Aklapper added a comment.Sep 18 2018, 11:23 AM

which I am not currently able to generate correctly

Why not?

Jc86035 added a comment.EditedSep 18 2018, 11:24 AM

@Aklapper I don't think that's relevant, but it's probably because my 2FA data was lost when I restored my phone. I have six 16-character codes (five of them being the scratch codes), but I don't know what to do with any of them.

Jc86035 added a comment.EditedSep 18 2018, 11:26 AM

If there's no software solution and I am supposed to contact the WMF directly to be able to log into my account again, then I think it should be clearly stated in at least one of the three help docs (meta/wikitech/mediawikiwiki).

Reedy subscribed.EditedSep 18 2018, 2:14 PM

Have you tried logging on directly to wikitech using the scratch codes? Rather than just the toolforge admin console...

Which you'd have to do anyway to remove 2FA from your account to set it up again

JJMC89 edited projects, added: MediaWiki-extensions-OATHAuth, Striker; removed: Toolforge.Sep 18 2018, 2:15 PM
JJMC89 subscribed.

You should use a scratch code in place of entering the code generated by your phone.

These steps should get you back to using 2FA normally.

  1. Login to Wikitech
    1. Enter an unused scratch code when prompted for 2FA
  2. Disable 2FA
    1. Enter an unused scratch code when prompted for 2FA
  3. Re-enable 2FA
Jc86035 added a comment.EditedSep 18 2018, 2:23 PM

@JJMC89 @Reedy I've tried that on both wmflabs and wikitech and it doesn't work.

I also don't remember enabling 2FA more than once, which would have had to happen if I now have a set of invalid scratch codes.

srodlund subscribed.Sep 18 2018, 3:32 PM
Reedy added a comment.Sep 18 2018, 9:22 PM
In T204682#4594007, @Jc86035 wrote:

I also don't remember enabling 2FA more than once, which would have had to happen if I now have a set of invalid scratch codes.

There's been a couple of cases where people have ended up with invalid scratch codes, but it's usually months later that they realise. Has made it pretty hard to track down and prevent

JJMC89 added a comment.Sep 19 2018, 3:42 AM

It looks like 2FA will need to be reset. The easiest option to confirm your identity is to create a file with reference to this task in your home directory on a Toolforge bastion.

Jc86035 added a comment.Sep 19 2018, 3:51 AM

@JJMC89 I've created /home/jc86035/T204682.

JJMC89 added a subscriber: bd808.Sep 19 2018, 3:58 AM
In T204682#4596861, @Jc86035 wrote:

I've created /home/jc86035/T204682.

Would @bd808 or someone else with access handle the reset?

bd808 added a comment.Sep 19 2018, 9:59 PM
In T204682#4596861, @Jc86035 wrote:

@JJMC89 I've created /home/jc86035/T204682.

$ mwscript extensions/OATHAuth/maintenance/disableOATHAuthForUser.php --wiki=labswiki Jc86035
OATHAuth disabled for Jc86035.

Not closing as I need to investigate the underlying issue. Since 2FA can't be disabled via toolsadmin the best answer there might be to add instructions on how to go to Wikitech and disable/re-enable rather than consuming a scratch token. If scratch tokens are broken generally somehow on Wikitech though that is something we will want to fix.

bd808 lowered the priority of this task from Unbreak Now! to High.Sep 19 2018, 10:02 PM
bd808 added a comment.Sep 19 2018, 11:33 PM

@Jc86035 the screen shot you provided is from https://toolsadmin.wikimedia.org. Did you actually try to use your recovery code(s) at https://wikitech.wikimedia.org as well, or only in toolsadmin?

Jc86035 added a comment.Sep 20 2018, 1:05 AM

@bd808 I tried both. I also tried removing the spaces in the scratch codes (didn't work) and reusing the other sixteen-character string that I had to generate new six-digit tokens (didn't work).

Quiddity updated the task description. (Show Details)Sep 20 2018, 4:53 PM
GTirloni added a project: cloud-services-team (Kanban).Mar 24 2019, 12:04 PM
Reedy moved this task from Backlog to External on the MediaWiki-extensions-OATHAuth board.Jul 5 2019, 9:58 PM
bd808 removed a project: cloud-services-team (Kanban).Jul 9 2019, 9:32 PM
Reedy moved this task from Backlog to Snowflakes on the wikitech.wikimedia.org board.Nov 11 2019, 12:09 AM
Reedy added a project: TestMe.Dec 6 2023, 1:21 PM
Reedy renamed this task from Wikitech 2FA does not appear to allow recovery with scratch codes to Wikitech 2FA does not appear to allow recovery with recovery codes.Jan 1 2024, 8:55 PM
Reedy removed a subscriber: srodlund.
Reedy added a comment.Jan 8 2024, 7:06 PM

I've just tested logging into wikitech with a recovery token, worked fine...

I then burned another logging into https://toolsadmin.wikimedia.org...

Both had spaces in...

In T204682#4599837, @bd808 wrote:

If scratch tokens are broken generally somehow on Wikitech though that is something we will want to fix.

Doesn't seem to be the case, or if it was, it no longer is...

In T204682#4599837, @bd808 wrote:

Not closing as I need to investigate the underlying issue. Since 2FA can't be disabled via toolsadmin the best answer there might be to add instructions on how to go to Wikitech and disable/re-enable rather than consuming a scratch token.

I think this may be the only thing at least obviously actionable here?

Reedy removed a project: TestMe.Jan 9 2024, 9:21 PM
Bugreporter subscribed.Oct 1 2024, 3:22 PM

Still relevant?

taavi closed this task as Invalid.Oct 2 2024, 8:29 AM
taavi subscribed.

No.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits