Jump to content

Phabricator/Help/Two-factor Authentication Resets

From mediawiki.org

Phabricator allows multi-factor authentication to protect your account in the event that your password is compromised. Wikimedia's Phabricator instance uses Time-based One-Time Passwords using an open standard which integrates with several mobile applications such as Google Authenticator, Authy, or FreeOTP.

Warning Warning: Phabricator does not offer backup codes for multi-factor authentication. If you lose access to your second-factor device, you must have put your user committed identity hash on your wiki user page at least one month before requesting a multi-factor authentication reset. You will permanently lose access to your Phabricator account unless you can complete the reset instructions below.

Steps to request a multi-factor authentication reset

  • Preferred method: Via a user committed identity hash and if you can still log into Phabricator:
    • Make sure that your user committed identity hash has been on your wiki user page for more than a month
    • Double-check that your Phabricator account is connected to your MediaWiki user account by going to your Phabricator user profile
    • File a task under Phabricator including a link to your wiki page which includes your user committed identity hash and explicitly ask for creating a custom private Paste to verify your user committed identity hash
    • Let a Phabricator admin create a custom private Paste in Phabricator and provide the link to that Paste in the Phabricator task
      • This requires setting both the "Visible To" field and the "Editable by" field of the Paste to "Subscribers"
      • This requires to add your Phabricator user name and the Phabricator name of that someone to the "Subscribers" field of the Paste
    • Once you have received the link to that Paste, click "Edit Paste" and paste your text phrase
    • Add a comment in the Phabricator task that you've provided your text phrase
    • Let a Phabricator admin compare your text phrase in your Paste with the user committed identity hash on your wiki user page (via sha512sum), and the date of your wiki user page edit
    • Let a Phabricator admin with shell access reset your access
  • Via manual verification (if you cannot log into Phabricator anymore):
    • Contact a Phabricator admin who knows your face (to map it to the account linked from your Phabricator profile) for a video call to verify your request (this is required because an attacker could have also taken over your MediaWiki or LDAP user account)
    • If this is not possible, post your request on Talk:Phabricator/Help - maybe third-party people could be found who are known both to you and a Phabricator admin who can help verify your request