Hello @DMartin-WMF,

Okta's 2FA codes are not used by Wikimedia developer accounts (this is because developer accounts are used by volunteers as well, and Okta credentials are only issued to WMF staff). If you still have at least two remaining emergency codes, please go to Wikitech preferences and disable two-factor authentication there. After that's done, you'll be able to set it up again with your new phone (if so desired). Generally, it is preferred to self-service the disabling, whenever that's possible.

That said, signing the L3 document you mentioned does not depend on your Wikitech 2FA status (Phabricator's 2FA tokens are different from Wikitech's). If I understand it correctly, you're unable to sign the document, because Phabricator prompts you to enter a 2FA code, and you're unable to provide a valid code (the dialog should look like F36890815). If my understanding is right, you need to follow the Phabricator 2FA reset procedure (in your case, the reset will likely entail a verification video call with a Phabricator admin, who will then remove your 2FA).

Hope this helps!

@DMartin-WMF: Hi, if you're unable to sign L3, please explain what exactly does happen when you try. Thanks!

@DMartin-WMF I was going to direct you to https://wikitech.wikimedia.org/wiki/Password_and_2FA_reset#For_users for a process to validate your control of the https://wikitech.wikimedia.org/wiki/User:David_Martin account, but a check of the backing LDAP directory shows that there are no SSH keys or Cloud VPS project memberships associated with the account.

If you have any emergency codes from setting up 2FA at Wikitech left (each code is one-time use) I would recommend that you use a code to login to Wikitech and then use https://wikitech.wikimedia.org/wiki/Special:Manage_Two-factor_authentication to remove your current TOTP authentication method. Once you do this you should be able to use the same special page to setup a new TOTP 2FA protection for your account.

If you have used up all of your emergency codes, you can instead send me (bd808@wikimedia.org) an email from your dmartin@wikimedia.org account with a link to this Phabricator task. That email is the owner of the Developer account and will in this case serve as reasonable proof that the request to drop 2FA is legitimate.

Thanks everyone for the quick response and clear explanations! I have removed my existing TOTP authentication (and will reinstate after solving the signing issue).

Regarding the signing of L3 - After clicking on Sign Document, I see a page that says "Provide MFA Credentials". If I enter an OKTA authentication code, it says "Invalid". There are no other options on the page.

So yes, I believe I need to follow the Phabricator 2FA reset procedure. I do not have a user committed identity hash, so I take it I need to contact a Phabricator admin who knows my face. Can anyone reading this ticket help me today (which would allow me to move forward on part of my work)? If not, I could probably get help from James Forrester on Monday; I will meet with him.

@Urbanecm - Yes, the MFA credentials page that I see is the same as the image you attached.

Hi @Urbanecm @bd808 @Aklapper - I need to ask for further help from one of you. I discussed this ticket with James Forrester, who knows me personally, but is not a Phab admin. It's my understanding, from James, that any Phab admin should be able to help me, even without knowing my face, because I'm a staff member.

As stated above, my problem is that I'm unable to sign this document (which is currently blocking some of my work). Phabricator prompts me to enter a 2FA code, and I am unable to provide a valid code.

Notes: I am currently logged into Phabricator, if that helps. I'm adding James as a subscriber to this ticket.

@DMartin-WMF: Could you send me a private message on WMF's internal "Slack" thingy with a reference to this ticket please, for verification? Thanks.

My thanks, also - @Aklapper and all!