Talk:Phabricator/Help/Two-factor Authentication Resets

From MediaWiki.org
Jump to navigation Jump to search

Remove discouragement?[edit]

@AKlapper (WMF):, can we update the wording of "we do not encourage using multi-factor authentication" to something that warns user of the consequences instead? I am actively encouraging users to enable multi-factor if they have access to sensitive information.

@CSteipp (WMF): Sure you can if the consequences that users might lose access and access will not be restored are clearly communicated. --AKlapper (WMF) (talk) 21:25, 13 September 2015 (UTC)

Reset[edit]

A pop-up I get while logging into Phabricator.Used to explain what I see while trying to reset 2-step.

Does this procedure still work? I myself can login, but fail the App Code because my phone has returned to my previous employer. When I follow the steps on this page, I can not find the phrase Click on "Visible To: Public (No Login Required)" ... therefor resetting my 2-factor stops too ... Edoderoo (talk) 21:08, 16 June 2016 (UTC)

@Edoderoo: I see Click on "Visible To: Public (No Login Required)" when creating a new Paste with my private, non-special account. If you do not, can you provide a screenshot (that does not expose any private data)? --AKlapper (WMF) (talk) 08:20, 17 June 2016 (UTC)
In Phabricator, I can get through the first login-step, with my wikitech credentials. Under the big + at the right-top of the screen, I do see a "create a new paste", but it keeps leading me to the 2-step-code screen. I tried using FireFox and Chrome and Edge on Win10. Also tried it on Ubuntu Mate 15.10 with FireFox, but the same results. I can login, I can use oAuth from MediaWiki, but the next step is always the popup-window for two-factor auth, and there are no other links.
@Edoderoo: Ah. :( To go one step back, the instructions to use Paste only make sense when you have a committed identity hash on your wiki user page for more than a month. Could you link to it? Also, can you reach https://phabricator.wikimedia.org/settings/user/Edoderoo/page/multifactor/ ? --AKlapper (WMF) (talk) 10:21, 17 June 2016 (UTC)
@AKlapper (WMF): I have *now* added it here: https://en.wikipedia.org/wiki/User:Edoderoo, but if there is a better place, let me know. I'll wait a month and try again. Edoderoo (talk) 11:23, 17 June 2016 (UTC)
@AKlapper (WMF): ... What can be done to reset my identity from here on? Edoderoo (talk) 10:21, 22 February 2017 (UTC)
@Edoderoo: Thanks for the ping! Realizing that the Phabricator account "Edoderoo" had never been used so far, it felt far easier (and less security critical) to just delete that Phabricator account, so you can now re-register on Wikimedia Phabricator. --AKlapper (WMF) (talk) 11:06, 22 February 2017 (UTC)

Unable to create paste[edit]

The https://phabricator.wikimedia.org/paste/edit/form/14/ form doesn't work for me: I'm just asked for a 2FA code and cannot proceed. Is that form supposed to be usable by unauthenticated users? Sam Wilson 03:14, 29 May 2018 (UTC)

@Samwilson: https://phabricator.wikimedia.org/T85706#1805699 I'm afraid. I'll add an obsolete header section. --AKlapper (WMF) (talk) 09:39, 29 May 2018 (UTC)
Thanks for the link. I shall be without phab for a while then I guess! :) —Sam Wilson 09:45, 29 May 2018 (UTC)
@Samwilson: Are there other ways to verify that you are you? For example a video call with someone who knows you? :-/ (I guess that could be me too.) --AKlapper (WMF) (talk) 09:57, 29 May 2018 (UTC)
@AKlapper (WMF): Yes, I still have access to all my other accounts (I stored 2FA backup codes for everything I could, but Phab doesn't have them). I wonder, is it enough to post a reset request from a 2FA-authenticated wiki account (like this one I'm posting from)? That seems to me as secure as relying on a committed identity hash. —Sam Wilson 07:00, 30 May 2018 (UTC)
@AKlapper (WMF): I'm still locked out. Are you able to help after all? You can get me on Hangouts any time, if that's what's required. Sam Wilson 23:34, 4 June 2018 (UTC)
@Samwilson: Uh, I'm sorry! Let me ping you on IRC to have a quick video chat in the next hours, hopefully at a time that works for both of us. :) --AKlapper (WMF) (talk) 12:20, 5 June 2018 (UTC)

Can we please agree on a new process?[edit]

Hello. I don't have numbers, but I bet this happens from time to time, and I think we should give users some accurate guidance. The current process for Phabricator 2FA reset as documented on this page is not working anymore given that you're prevented from taking any action if you're not fully logged in (username, password and TOTP token). Verifying the identity could happen in a variety of ways: committed identity, PGP signature, people known to the Foundation or whose identity is know to them. Given that we can't Paste anymore, what would be an acceptable process of verification? What would people with access to remove Phabricator 2FA think? Do we have any estimate on how much time would https://secure.phabricator.com/T6549 be fixed? (it could solve most of the problems). Thank you, --MarcoAurelio (talk) 11:37, 4 February 2019 (UTC)

@MarcoAurelio: Thanks for the ping. I've updated the process to something that should work in most cases (phab:T85706#5003286). --AKlapper (WMF) (talk) 22:04, 5 March 2019 (UTC)