Closed
Bug 1500739
Opened 6 years ago
Closed 6 years ago
Lost the access to Firefox Account+2FA and hence unable to login
Categories
(Cloud Services :: Server: Firefox Accounts, defect)
Cloud Services
Server: Firefox Accounts
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: roosan.gm, Unassigned)
References
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0
Steps to reproduce:
I tried logging in with my Firefox Account.
Actual results:
I am not able to log in because I lost access to 2FA. I don't have recovery codes either.
Expected results:
I should have been able to login with my Firefox Account. I want to request you to reset ma 2FA settings for my account - roosan.gm@gmail.com
Updated•6 years ago
|
Flags: needinfo?(hmitsch)
Comment 1•6 years ago
|
||
Dear Firefox Accounts Folks,
this is an interesting case. Bug 1498543 was a Mozilla IAM support case: We had to remove FxA from Roshan's profile in order to allow him to get back into our systems using his Github+2FA identity provider.
This means we verified that roosan.gm@gmail.com actually belongs to Roshan. He has a FxA+2FA and a Github+2FA identity on this email.
Is this proof enough to remove 2FA from his FxA account to allow him to recover his account?
Best regards,
Henrik
Assignee: infra → nobody
Component: Infrastructure: LDAP → Server: Firefox Accounts
Depends on: 1498543
Flags: needinfo?(hmitsch)
Product: Infrastructure & Operations → Cloud Services
QA Contact: jdow
Comment 2•6 years ago
|
||
> This means we verified that roosan.gm@gmail.com actually belongs to Roshan.
Out of curiosity, how was this verification achieved?
> Is this proof enough to remove 2FA from his FxA account to allow him to recover his account?
Our current position is that there is no level of verification that would suffice to remove 2FA from a user's account, but this is clearly going to keep coming up. I would consider allowing him to delete and re-create the account after some amount of manual verification; +:adavis and :ulfr for further comment.
Comment 3•6 years ago
|
||
Hi Ryan,
> Out of curiosity, how was this verification achieved?
Sorry for not providing enough context.
In Mozilla IAM, we can see authentication providers somebody used in the Auth0 records. Simplified, this would look like this:
hmitsch@mozilla.com LDAP
hmitsch@mozilla.com Github
In Roshan's case we had roosan.gm@gmail.com with FxA and Github providers. In Bug 1498543 :kang removed the FxA identity, in order to allow Roshan to use Github for login to Mozilla IAM site (e.g Reps Portal, Mozillians, etc).
As we know that roosan.gm@gmail.com uses 2FA via Github, we have strong indications that his gmail account was not compromised and that it is actually Roshan on the other end of the keyboard (I am sure kang could say this in more IT security appropriate language).
Maybe this is enough "manual verification" in order for you to enter that "delete & re-create account" scenario?
I am aware that I project a lot of details from the IAM Stack into this message. I am also happy to jump on a call and show how things work via some screenshares?
Best regards,
Henrik
Comment 4•6 years ago
|
||
> Our current position is that there is no level of verification that would suffice to remove 2FA from a user's account, but this is clearly going to keep coming up.
I still believe this is the right approach. FxA is a security service and we need to be extra careful about being socially engineered. Regardless of the number of factors, it is the user's responsibility to keep their mean of authentication securely.
Comment 5•6 years ago
|
||
Hi Julien,
thanks for the comment. I see your point and agree with it.
I guess this means the user has to create a new Firefox Account (and store the recovery key for future use, https://accounts.firefox.com/settings/account_recovery?showAccountRecovery).
Sorry Roshan we couldn't help more in recovering your account. Closing bug.
Best regards,
Henrik
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
Reporter | ||
Comment 6•6 years ago
|
||
Okay.
Thanks all of you for your time.
Comment 7•3 years ago
|
||
Have a similar situation,lost 2fa and recovery key.Have my password intact.Trying to get code to my recovery email using the above link,but not getting any codes.Please help
Flags: needinfo?(narenadusumilli)
Updated•3 years ago
|
Flags: needinfo?(narenadusumilli)
You need to log in
before you can comment on or make changes to this bug.
Description
•