Page MenuHomePhabricator

Reset my 2FA on this Phab account
Closed, ResolvedPublic

Description

I've been going between devices because my original 2FA device became waterlogged. Unfortunately, I forgot to reset the 2FA on this account. Fortunately, my session is still active, but I am unable to replace the old 2FA secret with a new one.

Can someone please reset it? Similar to the InternetArchiveBot issue from a week ago. See T230773

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 29 2019, 9:13 AM
Cyberpower678 triaged this task as High priority.Aug 29 2019, 9:15 AM
Cyberpower678 updated the task description. (Show Details)
Cyberpower678 moved this task from Backlog to 2FA (requests) on the Trust-and-Safety board.
jrbs added a comment.Aug 29 2019, 5:15 PM

Hey again - would you be able to email ca@wikimedia.org from the email address on your account (again)? Thanks :)

Cyberpower678 added a subscriber: WMFOffice.EditedAug 29 2019, 5:29 PM

I’ll do one better, I’ll forward the email of your email. :-)

Hello Cyberpower678,

We have disabled the 2-factor authentication for the account
User:Cyberpower678. Could you check whether you can login again and let us
know?

Cheers,
Samuel

2FA is still active on my Phabricator.

Oh wait. You disabled my Wikipedia 2FA. I wanted my Phabricator 2FA disabled.

jrbs edited subscribers, added: bd808; removed: WMFOffice.Aug 29 2019, 6:13 PM

Oh wait. You disabled my Wikipedia 2FA. I wanted my Phabricator 2FA disabled.

Ah, easy mistake to make :) We (T&S) do not generally handle Phabricator 2FA. I'd like to ping @bd808 as a Phab admin who might be able to look at this.

bd808 added a subscriber: mmodell.Aug 29 2019, 6:22 PM

I'd like to ping @bd808 as a Phab admin who might be able to look at this.

Revoking Phabricator 2FA requires shell access that I do not have. I will keep the ping train going however by adding @Aklapper and @mmodell who do have all the necessary permissions to verify the request and ultimately revoke the current 2FA tokens for @Cyberpower678

@Cyberpower678: The procedure involves confirming your wiki identity via a private paste
see https://www.mediawiki.org/wiki/Phabricator/Help/Two-factor_Authentication_Resets

So I've created a private paste here: P9005

Please edit the paste and add you identity hash, I'll compare it and then remove your TOTP 2nd factor from phabricator.

@Cyberpower678: The procedure involves confirming your wiki identity via a private paste
see https://www.mediawiki.org/wiki/Phabricator/Help/Two-factor_Authentication_Resets
So I've created a private paste here: P9005
Please edit the paste and add you identity hash, I'll compare it and then remove your TOTP 2nd factor from phabricator.

So we have a problem. The flash drive that actually had my paragraph long rant, that feeds into the hash, doesn't actually power on anymore. I guess age killed it. Obviously, that means I need to change my hash now. **** me.

Damn, what a pain, I wish there was an easier process for this.

Damn, what a pain, I wish there was an easier process for this.

I am SOOOOOO sorry about this. If I had scratch codes, I'd be using those.

Cyberpower678 added a comment.EditedAug 29 2019, 10:32 PM

I have 2FA enabled and my identity recently confirmed multiple times on Wikipedia, most recently on this very thread. Can I just post a 2FA reset confirm post on my talk page?

That seems reasonable to me, though I didn't make the procedure at https://www.mediawiki.org/wiki/Phabricator/Help/Two-factor_Authentication_Resets

@Cyberpower678 can create a file in home in his toolforge account (he has LDAP connected to Phabricator account, so it's clear the accounts are both his), do an edit somewhere to confirm this or we can ask him for confirmation via IRC PM (it's common knowledge who owns the account there, and he has a cloak anyway). Besides, he is still logged in, so it's not a big problem. Plenty of ways to verify Cyberpower's request :). At worse, Cyberpower can have a quick videoconference with someone who recognizes him in person :).

I believe the rationale is to verify the identity somehow, not to require hash and only hash.

Cyberpower should change the hash anyway :D.

The procedure linked says "Contact a Phabricator admin who knows your face [to verify the request]". I'm not a Phabricator admin, but I saw Cyberpower at Wikimania Hackathon, and I still recall his face. I'm willing to confirm his request via videoconference if it is needed.

@Cyberpower678 can create a file in home in his toolforge account (he has LDAP connected to Phabricator account, so it's clear the accounts are both his), do an edit somewhere to confirm this or we can ask him for confirmation via IRC PM (it's common knowledge who owns the account there, and he has a cloak anyway). Besides, he is still logged in, so it's not a big problem. Plenty of ways to verify Cyberpower's request :). At worse, Cyberpower can have a quick videoconference with someone who recognizes him in person :).
I believe the rationale is to verify the identity somehow, not to require hash and only hash.
Cyberpower should change the hash anyway :D.

Didn't we meet at Wikimania? :-) I will be happy to do any of those methods. Just tell me what to do to verify my identity, other than a hash. (New hash is going into my keychain this time). My hash predates my password vault.

We did, "someone" includes me :P. Let me know if my help is needed.

Welp my phone got logged out somehow. So now I only have one device left with an active Phab session going.

@Cyberpower678 check your irc bouncer and/or Telegram client for an invite from me to do a video confirmation. :)

@revi and @MF-Warburg met at Wikimania too. They know my face too.

@Cyberpower678 check your irc bouncer and/or Telegram client for an invite from me to do a video confirmation. :)

Got it

@mmodell I just did a video call with the human entity I know to be @Cyberpower678 and they confirmed this request by reciting the task number to me. If you would like to verify I am who you think I am, pm me a google meet link on Freenode.

Cyberpower678 added a comment.EditedAug 29 2019, 10:51 PM

I'm still in Germany, so I will be going to bed now. :-). Thanks @bd808

Tgr added a comment.Aug 29 2019, 10:52 PM

For standard unprivileged Phab accounts it does seem a bit over the top.

Ok I'll reset the account, sorry for the delay @Cyberpower678

mmodell closed this task as Resolved.Aug 30 2019, 12:30 AM
mmodell claimed this task.

Done

For standard unprivileged Phab accounts it does seem a bit over the top.

Agreed (and offtopic here). Anyone having an idea for a better venue?

Unrelated to Trust-and-Safety, hence removing tag