yubikey passcode not accepted on 'openvpn' tab on login.m.c



Infrastructure & Operations
Infrastructure: SSO
2 years ago
2 years ago


(Reporter: glob, Unassigned)



the only mfa device i have configure on my account is my yuibkey.

when i navigate to https://login.mozilla.com/openvpn i'm prompted for a passcode.  the device is set to 'token' (the only option).

when i trigger the yubikey to provide a code i'm told "please enter a passcode", however i'm informed this isn't a valid code (even though it works to log in to the vpn)

i'm not registered with duo on login.m.c, just my yubikey... i suspect that's why the duo auth is failing.

i would expect all of my registered 2fa devices to work wherever 2fa is required.
if you need to catch me on irc to diagnose this in real time, my hours are on my phonebook entry.
This might require some real time work, however, I see that your device is a HOTP device. By default the yubikey has 2 slots.

1. Short press, defaults to the Yubi OTP
2. Long press, would be the default for a HOTP6

If you can confirm the functionality of login.mozilla.com does not work when you're doing the proper corresponding long press or short press of your Yubikey to enter the HOTP6 code, we can go from there.

You can open the yubikey personalization tool to confirm which slot is programmed as the HOTP device.
i have slot1 currently empty (it's my "i'm doing 2fa dev work and need a floating slot"), and slot2 is oath-hotp6.
hotp6 works for vpn auth, but not for login.m.c.
i caught up with rtucker on irc and ran through a few things.  after a few experiments that shouldn't have impacted things, it started working.

for those playing along:
> i'm not registered with duo on login.m.c, just my yubikey
this statement is totally wrong.  duo backs all of login.m.c's 2fa implementation so my device _is_ registered there.

closing as invalid due to a lack of RESOLVED/PLANETARY_MISALIGNMENT status.
Last Resolved: 2 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.