Closed Bug 1500739 Opened 6 years ago Closed 6 years ago

Lost the access to Firefox Account+2FA and hence unable to login

Categories

(Cloud Services :: Server: Firefox Accounts, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: roosan.gm, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0 Steps to reproduce: I tried logging in with my Firefox Account. Actual results: I am not able to log in because I lost access to 2FA. I don't have recovery codes either. Expected results: I should have been able to login with my Firefox Account. I want to request you to reset ma 2FA settings for my account - roosan.gm@gmail.com
Flags: needinfo?(hmitsch)
Dear Firefox Accounts Folks, this is an interesting case. Bug 1498543 was a Mozilla IAM support case: We had to remove FxA from Roshan's profile in order to allow him to get back into our systems using his Github+2FA identity provider. This means we verified that roosan.gm@gmail.com actually belongs to Roshan. He has a FxA+2FA and a Github+2FA identity on this email. Is this proof enough to remove 2FA from his FxA account to allow him to recover his account? Best regards, Henrik
Assignee: infra → nobody
Component: Infrastructure: LDAP → Server: Firefox Accounts
Depends on: 1498543
Flags: needinfo?(hmitsch)
Product: Infrastructure & Operations → Cloud Services
QA Contact: jdow
> This means we verified that roosan.gm@gmail.com actually belongs to Roshan. Out of curiosity, how was this verification achieved? > Is this proof enough to remove 2FA from his FxA account to allow him to recover his account? Our current position is that there is no level of verification that would suffice to remove 2FA from a user's account, but this is clearly going to keep coming up. I would consider allowing him to delete and re-create the account after some amount of manual verification; +:adavis and :ulfr for further comment.
Hi Ryan, > Out of curiosity, how was this verification achieved? Sorry for not providing enough context. In Mozilla IAM, we can see authentication providers somebody used in the Auth0 records. Simplified, this would look like this: hmitsch@mozilla.com LDAP hmitsch@mozilla.com Github In Roshan's case we had roosan.gm@gmail.com with FxA and Github providers. In Bug 1498543 :kang removed the FxA identity, in order to allow Roshan to use Github for login to Mozilla IAM site (e.g Reps Portal, Mozillians, etc). As we know that roosan.gm@gmail.com uses 2FA via Github, we have strong indications that his gmail account was not compromised and that it is actually Roshan on the other end of the keyboard (I am sure kang could say this in more IT security appropriate language). Maybe this is enough "manual verification" in order for you to enter that "delete & re-create account" scenario? I am aware that I project a lot of details from the IAM Stack into this message. I am also happy to jump on a call and show how things work via some screenshares? Best regards, Henrik
> Our current position is that there is no level of verification that would suffice to remove 2FA from a user's account, but this is clearly going to keep coming up. I still believe this is the right approach. FxA is a security service and we need to be extra careful about being socially engineered. Regardless of the number of factors, it is the user's responsibility to keep their mean of authentication securely.
Hi Julien, thanks for the comment. I see your point and agree with it. I guess this means the user has to create a new Firefox Account (and store the recovery key for future use, https://accounts.firefox.com/settings/account_recovery?showAccountRecovery). Sorry Roshan we couldn't help more in recovering your account. Closing bug. Best regards, Henrik
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
Okay. Thanks all of you for your time.
Blocks: 1517660

Have a similar situation,lost 2fa and recovery key.Have my password intact.Trying to get code to my recovery email using the above link,but not getting any codes.Please help

Flags: needinfo?(narenadusumilli)
Flags: needinfo?(narenadusumilli)
You need to log in before you can comment on or make changes to this bug.