Closed Bug 1514150 Opened 6 years ago Closed 6 years ago

Discourse requires 2FA to log in

Categories

(Infrastructure & Operations :: Community IT: Discourse, task)

Product:
Infrastructure & Operations
Component:
Community IT: Discourse
Version:
Production
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: lidel, Unassigned)

Details

Attachments

(1 file)

2018-12-14--10-37-51.png
38.03 KB, image/png
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0 Steps to reproduce: I tried to log into http://discourse.mozilla.org using my Firefox Account and was presented with attached error. The account did not had 2FA set up at the time. Actual results: I am unable to log in. Not sure if this is due to a bug specific to my account, or a global flag flipped to require 2FA on Discourse for some reason. Expected results: I feel user should be able to log in to Discourse forums without a chore of setting up 2FA. Rationale: 2FA is not required at http://addons.mozilla.org which is far more sensitive as enables people to publish add-ons. Unless it is also required there, it makes no sense to require it on http://discourse.mozilla.org
(In reply to Marcin Rataj from comment #0) > 2FA is not required at http://addons.mozilla.org which is far more sensitive > as enables people to publish add-ons. Unless it is also required there, it > makes no sense to require it on http://discourse.mozilla.org What if the (external) Discourse software has a 2FA implementation while the (self-developed) addons software has not? I don't think improvements to safety and security on Mozilla websites should only be made available if deployed in a certain order of websites? Is there any technical problem which blocks you from using 2FA?
Or in other words: Do not make it safer for users on website A, as long as users on separate website B are not safer? That does not make sense.
What I meant is that it looks like a bug because sensitive website (addons) does not require 2FA while simple discussion forum does. It feels like a bug or an overkill. Personally I have no problem with setting 2FA, but less technical people interested in participating in community forum may get discouraged if they need to go over steps from https://support.mozilla.org/en-US/kb/secure-firefox-account-two-step-authentication just to make a post on a forum.

Thanks for this report, we've improved this behaviour so now 2FA is only required for users with access to confidential information: https://discourse.mozilla.org/t/mozilla-discourse-release-2019-02-27/36283

Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: