Closed
Bug 1436844
Opened 7 years ago
Closed 4 years ago
[mozillians.org]: couldn't log in to account
Categories
(Participation Infrastructure :: Phonebook, enhancement)
Participation Infrastructure
Phonebook
Tracking
(Not tracked)
RESOLVED
INCOMPLETE
next
People
(Reporter: CocoMo, Unassigned)
Details
(Whiteboard: [iam-userissue])
Attachments
(3 files)
log_in_by_email.png
Hello,
Not sure where to file the bug. Our long time l10n community contributor Michael Wolf couldn't log in to mozillians.org site with his email account: milupo@sorbzilla.de. The password doesn't work. He requested to send a link to his email following the dialogue box (with options), the provided link only generated an error image with that attempt.
If this is not the place to have this issue resolved, please triage it to the right product/category.
Thank you,
Pieying
|
||
Updated•7 years ago
|
Group: mozilla-reps-admins → websites-security
Component: Community IT Requests → Phonebook
Product: Mozilla Reps → Participation Infrastructure
Target Milestone: --- → next
Version: unspecified → other
|
|
||
Comment 1•7 years ago
|
||
I can't remove the "security-sensive" flag.. Looks like that got converted from the reps-admin one and I didn't see. Will check if somebody can remove it.
|
||
Updated•7 years ago
|
Group: websites-security
|
||
Comment 3•7 years ago
|
||
Hi Milupo,
can you please provide the exact error text you get?
Have you tried opening the link you get from the "passwordless email" authentication in the same browser window which you used to trigger that email?
Best regards,
Henrik
Flags: needinfo?(hmitsch) → needinfo?(milupo)
|
||
Comment 5•7 years ago
|
||
Log in by Github
|
|
||
Comment 6•7 years ago
|
||
Log in by Google Mail
|
|
||
Comment 7•7 years ago
|
||
Hi Milupo,
you need to login using your Volunteer LDAP account (milupo@sorbzilla.de). The reason for this is that we require people to use their "most secure login method" on sites connected to Mozilla IAM.
Have you configured MFA on that account? If no, please open https://login.mozilla.com and select MFA (multi factor auth) from the left menu.
Please let me know if this works.
Best regards,
Henrik
Flags: needinfo?(milupo)
|
|
||
Comment 8•7 years ago
|
||
Hu Henrik,
above you see the screenshots for log in by email, by Github and by Gmail. The first two show error messages and the Gmail login shows the registration form. I think this is correct because my gmail address is michawjelk@gmail.com and not milupo@sorbzilla.de, and the username field is filled out with "michawjelk" as username.
It seems I lost my LDAP password so I can't log in by LDAP.
It is strange that I can't log in to mozillians.org.
Thanks.
|
|
||
Comment 9•7 years ago
|
||
Hi Milupo,
it is "works as designed" that you can't login to Mozillians.org. This site is integrated with Mozilla IAM. It therefore follows the "use most secure account" rule.
We can reset your lost LDAP password. No problem. I will get this going for you.
Best regards,
Henrik
|
|
||
Comment 10•7 years ago
|
||
Hi Milupo,
let's wait for bug 1437162 to be closed. Once that is done, you can setup MFA (see above). Once that is done, you should be able to log in to Mozillians.org
Let's keep this ticket open until you are successfully logged in to Mozillians.org
Best regards,
Henrik
|
|
||
Comment 11•7 years ago
|
||
Thank you, Henrik. The login by login.mozilla.com does not work. The form does not accept all my usernames and passwords. In April 2016 I got the request to change my LDAP password because the old would expire. I changed it via passwordreset.mozilla.org. The strange thing I don't have mozillians.org among my password domains. At the same time, I got an invitation from Vesper to become a NDA and Jeff wrote me to the same topic. But I refused this proposal. Can this be the reason why my mozillians.org account was classed as "most secure accont"?
Flags: needinfo?(milupo)
|
|
||
Comment 12•7 years ago
|
||
Hi Milupo,
looks like your LDAP account was unblocked via bug 1437162. I commented there to move us ahead with the final MFA step.
Sorry about my bad explanation of "most secure account". When you authenticate with a Mozilla site which uses our Auth0-based login, you are presented with up to 4 authentication methods: LDAP, Github, Google, passwordless email.
There is a "security hierarchy" in these methods, because only LDAP and Github reliably tell us whether or not you use MFA/2FA. That's why we then have the following preference for login: LDAP > Github > Google | passwordless email.
In your case, you should please keep using your Volunteer LDAP (once you configured MFA on it).
Hope this helps?
Best regards,
Henrik
|
|
||
Comment 13•7 years ago
|
||
Sorry, the whole thing is bullshit. What kind of security is it that locks out the people who it shall protect? E-mail login is not possible because passwordless email login is not possible. By LDAP it is not possible because 2-step verification prevents it. Github login is not possible, I don't know why. Login by Google shows me the registration form. So what to do? 2-step verification is only possible if I have a mobile. *head-shaking*
|
|
||
Comment 14•7 years ago
|
||
Michael Wolf (milupo), may I remind you of our Community Participation Guidelines (https://www.mozilla.org/about/governance/policies/participation/). Your language is certainly in violation of various of the points in the "Expected Behavior" section, such as "be respectful", "Be Direct but Professional", and "Understand Different Perspectives".
-Henrik
|
|
||
Comment 15•7 years ago
|
||
Sorry for the expression. Well, that's enough for me. Delete my account, please. Mozillians.org will be a thing of the past for me now.
|
||
Comment 16•7 years ago
|
||
Hey, let's please please stay calm here, we're all on the same side and I think in the end actually on the same page.
You both have been volunteers in this project for a long time and poured so many hours into this project that I hope we can find a solution here that everyone can live with.
Michael, 2 things here:
1) You don't actually need a mobile device for 2-factor auth, there are a number of TOTP applications that run on desktop as well, but for security it's good to have that application on a different device than the one you use to access the actual logins (just to make it harder to get compromised, which is the main reason for 2FA after all anyhow). And even if all the stuff talks about "Duo", it's plain TOTP, which is a standard broadly available in many applications.
2) Please re-think keeping the Mozillians.org account, it's becoming more and more the central place to determine which kind of access you have on various Mozilla sites and services, e.g. if you have NDA access and similar things.
Also, Henrik, I think it might have been a bit fast to pull out the CPG here (I know, that was one strong word, but I understand the level of frustration around this topic), but I also know very well that you have a lot of feelings about this as well given how much work you have put in to make those logins work both as well and as securely as possible for volunteers. Somehow, web logins continue to be a hard topic and source of many frustrating experiences for both those using them and those needing to work with the implementations. ;-)
|
|
||
Comment 17•7 years ago
|
||
I agree with KaiRo, I was probably too fast in referring to the CPG. To my excuse, I had to deal with a lot of tough comments during the past months with regards to our Mozilla IAM implementation. It was not good to express my frustration in this bug.
milupo, please apologize if I offended you. Hope we can convince you to keep your Mozillians.org profile.
Best regards,
Henrik
|
|
||
Comment 18•4 years ago
|
||
Closing due to inactivity.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → INCOMPLETE
Whiteboard: [iam-userissue]
You need to log in
before you can comment on or make changes to this bug.
Description
•