Deleting all MFA devices on leads to confusing UX



4 years ago
3 years ago


(Reporter: emorley, Assigned: rtucker)



In bug 1065644, I was trying to turn off Duo on my account but was not able to do it myself & it was not obvious where to file a bug.

We should either:
1) Provide a way to deactivate Duo via
2) Provide some help text / a link to a Mana FAQ page saying who to ask to get it deactivated / where to file the bug - if the process can only be done manually.
So there are now obvious "delete device" buttons on the MFA tab, however after deleting all devices I'm still prompted for the 2nd factor when SSHing.

I just had to request it be manually disabled via IRC:

17:03 <soap> so i don't see any devices enrolled, so that means you probably deleted it correctly
17:03 <soap> however your account is still active
17:04 <soap> and an active status "Requires two-factor authentication"
17:04 <soap> i can set it to Bypass 2FA if you want
17:19 <emorley> yes please
17:19 <soap> ok set. please give it a try now
17:19 <emorley> yeah all good now, ty

Now I know we're soon going to make MFA mandatory for SSH - however I'm presuming people are still going to be able to delete all devices (eg they lost their phone) - and so doing so should present a user friendly "You need to enroll a device for MFA on login.m.o before you can log in" error when SSHing - which presumably won't happen due to this bug. (ie: I don't think we can just WONTFIX this due to imminent mandatory MFA).
Summary: Pages on don't say how to switch off Duo → Deleting all MFA devices on doesn't disable MFA prompt when SSHing

Comment 2

3 years ago
There is what I believe to be a pretty clear disclaimer when you go to delete the last MFA device on that it could lock you out.

Due to the impending required MFA, there won't be any option to disable MFA.

The message you see when you ssh is AFAIK not controllable on our end.
I'm not able to repro now to see what that message looks like (presumably due to the "Bypass 2FA" option mentioned in comment 1). That said I generally pay attention and it was easy for me to miss it. 

Even if there was a warning message - the UI after that doesn't make it clear that 2FA is still enabled. It should permenantly say "2FA is enabled but you have no enrolled devices. You must add one now to login".

Re impending required MFA - see comment 1. Regarding SSH prompt it's definitely controllable (even if it's via a bug report against DUO's SSH package) - or do you mean not by your team?
Summary: Deleting all MFA devices on doesn't disable MFA prompt when SSHing → Deleting all MFA devices on leads to confusing UX
Blocks: 1173553
we will copy the warning to the confirmation screen.  As it is today it shows bold right next to the delete button when you have 1 remaining: "If you delete this last 2nd Factor Auth device, you may not be able to login to some Mozilla services".
Great, thank you :-)

Comment 6

3 years ago
I've patched to also display the disclaimer on the delete page

Comment 7

3 years ago
Looks like everything in this bug that can be addressed, as been. Closing this out.
Last Resolved: 3 years ago
Resolution: --- → FIXED


3 years ago
Assignee: infra → rtucker
Thanks :-)
You need to log in before you can comment on or make changes to this bug.