Page MenuHomePhabricator
Create Task
Maniphest T410946

2FA removal UI displays incorrect message about recovery codes
Closed, ResolvedPublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

  • Have more than one authenticator app enrolled
  • In Special:Accountsecurity, click the option to disable one of your authenticator apps

What happens?:

  • The UI displays the message (oathauth-delete-warning): "You won't be able to use this authentication method to log in anymore and your recovery codes will no longer work"

What should have happened instead?:

Other information (browser name/version, screenshots, etc.):

T405872

Screenshot from 2025-11-21 14-42-01.png (555×1 px, 46 KB)

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Delete passkeys when final 2FA method is deletedmediawiki/extensions/OATHAuthmaster+27 -36
Customize query in gerrit

Related Objects

Event Timeline

TBurmeister created this task.Nov 24 2025, 8:12 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 24 2025, 8:12 PM
Catrope added a project: FY2025-26 WE 4.6 - Account Security (WE 4.6.4 - 2FA improvements and passkey support).Nov 24 2025, 8:33 PM
Catrope moved this task from Inbox to Bugs on the FY2025-26 WE 4.6 - Account Security (WE 4.6.4 - 2FA improvements and passkey support) board.
sbassett subscribed.Nov 24 2025, 10:35 PM

Playing around with this a bit locally, I think we either need to change the copy for the oathauth-delete-warning message or introduce a different code path/message. Because the code appears to be working properly in recognizing existing/remaining auth app keys. When I inspect $lastKey, $this->isPrivilegedUser() and even count( $remainingKeys ), all of those appear correct when I have 2+ auth app keys set for my account. But the only path the code can take in this case is rendering the oathauth-delete-warning message via: Html::element( 'p', [], $this->msg( 'oathauth-delete-warning' )->text() ) ); on line 641 of OATHManage.php.

Reedy added a project: MW-1.45-release.Nov 26 2025, 9:53 AM
Mstyles claimed this task.Dec 8 2025, 4:11 PM
T4NeGMp7P4en subscribed.Dec 14 2025, 9:15 AM

In my test on jawiki, I found that deleting security key can also show this incorrect warning. FYR.

Restricted Application added a subscriber: Dragoniez. · View Herald TranscriptDec 14 2025, 9:15 AM
gerritbot added a comment.Dec 16 2025, 12:51 AM

Change #1217316 had a related patch set uploaded (by Mstyles; author: Mstyles):

[mediawiki/extensions/OATHAuth@master] Delete passkeys when final 2FA method is deleted

https://gerrit.wikimedia.org/r/1217316

gerritbot added a project: Patch-For-Review.Dec 16 2025, 12:51 AM
gerritbot added a comment.Dec 16 2025, 4:37 PM

Change #1217316 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] Delete passkeys when final 2FA method is deleted

https://gerrit.wikimedia.org/r/1217316

Maintenance_bot removed a project: Patch-For-Review.Dec 16 2025, 5:31 PM
Mstyles closed this task as Resolved.Dec 16 2025, 8:44 PM
T4NeGMp7P4en added a comment.Fri, Dec 26, 6:51 PM
This comment was removed by T4NeGMp7P4en.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits