Closed
Bug 1067914
Opened 10 years ago
Closed 9 years ago
Deleting all MFA devices on login.mozilla.com leads to confusing UX
Categories
(Infrastructure & Operations :: Infrastructure: Other, task)
Infrastructure & Operations
Infrastructure: Other
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: emorley, Assigned: rtucker)
References
Details
In bug 1065644, I was trying to turn off Duo on my account but was not able to do it myself & it was not obvious where to file a bug. We should either: 1) Provide a way to deactivate Duo via login.mozilla.com 2) Provide some help text / a link to a Mana FAQ page saying who to ask to get it deactivated / where to file the bug - if the process can only be done manually.
Reporter | ||
Comment 1•9 years ago
|
||
So there are now obvious "delete device" buttons on the https://login.mozilla.com/ MFA tab, however after deleting all devices I'm still prompted for the 2nd factor when SSHing. I just had to request it be manually disabled via IRC: 17:03 <soap> so i don't see any devices enrolled, so that means you probably deleted it correctly 17:03 <soap> however your account is still active 17:04 <soap> and an active status "Requires two-factor authentication" 17:04 <soap> i can set it to Bypass 2FA if you want 17:19 <emorley> yes please 17:19 <soap> ok set. please give it a try now 17:19 <emorley> yeah all good now, ty Now I know we're soon going to make MFA mandatory for SSH - however I'm presuming people are still going to be able to delete all devices (eg they lost their phone) - and so doing so should present a user friendly "You need to enroll a device for MFA on login.m.o before you can log in" error when SSHing - which presumably won't happen due to this bug. (ie: I don't think we can just WONTFIX this due to imminent mandatory MFA).
Summary: Pages on login.mozilla.org don't say how to switch off Duo → Deleting all MFA devices on login.mozilla.com doesn't disable MFA prompt when SSHing
Assignee | ||
Comment 2•9 years ago
|
||
There is what I believe to be a pretty clear disclaimer when you go to delete the last MFA device on login.mozilla.com that it could lock you out. Due to the impending required MFA, there won't be any option to disable MFA. The message you see when you ssh is AFAIK not controllable on our end.
Reporter | ||
Comment 3•9 years ago
|
||
I'm not able to repro now to see what that message looks like (presumably due to the "Bypass 2FA" option mentioned in comment 1). That said I generally pay attention and it was easy for me to miss it. Even if there was a warning message - the UI after that doesn't make it clear that 2FA is still enabled. It should permenantly say "2FA is enabled but you have no enrolled devices. You must add one now to login". Re impending required MFA - see comment 1. Regarding SSH prompt it's definitely controllable (even if it's via a bug report against DUO's SSH package) - or do you mean not by your team?
Reporter | ||
Updated•9 years ago
|
Summary: Deleting all MFA devices on login.mozilla.com doesn't disable MFA prompt when SSHing → Deleting all MFA devices on login.mozilla.com leads to confusing UX
Comment 4•9 years ago
|
||
we will copy the warning to the confirmation screen. As it is today it shows bold right next to the delete button when you have 1 remaining: "If you delete this last 2nd Factor Auth device, you may not be able to login to some Mozilla services".
Reporter | ||
Comment 5•9 years ago
|
||
Great, thank you :-)
Assignee | ||
Comment 6•9 years ago
|
||
I've patched to also display the disclaimer on the delete page
Assignee | ||
Comment 7•9 years ago
|
||
Looks like everything in this bug that can be addressed, as been. Closing this out.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•9 years ago
|
Assignee: infra → rtucker
Reporter | ||
Comment 8•9 years ago
|
||
Thanks :-)
You need to log in
before you can comment on or make changes to this bug.
Description
•