Closed Bug 1536716 Opened 6 years ago Closed 6 years ago

BMO MFA doesn't support GitHub login i.e., password-less auth

Categories

(bugzilla.mozilla.org :: General, defect)

Product:
bugzilla.mozilla.org
Component:
General
Version:
Staging
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: jbeich, Unassigned)

Details

I use GitHub with 2FA enabled to login on bugzilla.mozilla.org. After Phabricator become a requirement to review patches it's no longer possible for me to contribute. Giving up 2FA just to set up another 2FA isn't more secure, so the rationale in bug 1473269 doesn't apply.

Steps to reproduce:

  1. Open https://bugzilla.mozilla.org/
  2. Sign in via GitHub button
  3. Click on Account -> Preferences -> Two-Factor Authentication
  4. Click on Time-based One-Time Password (TOTP)
  5. Fill "Code" field based on QR code image
  6. Notice "Please fill out this field" under "Current Password"

Actual result:

  1. Unable to fill out as GitHub login doesn't use password

Expected result:

  1. Empty password is accepted
  2. Two-Factor Authentication is enabled
  3. phabricator.services.mozilla.com no longer shows "Bugzilla MFA Not Enabled"

Hi Jan

I'm the manager for engineering workflow which is responsible for Phabricator, Bugzilla, Lando, hg.mozilla.org among other services.

In-Bugzilla 2FA is a requirement for contributing code to Mozilla projects. Given that you use 2FA for github, it's not an onerous request to ask you to use one with Bugzilla as well. Using a password manager makes this a streamlined workflow.

I would also ask that you not abuse feedback flags to try to circumvent commit policy, if you would like to continue contributing.

I'm going to close this bug wontfix.

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX

(In reply to Kim Moir [:kmoir] ET from comment #1)

Given that you use 2FA for github, it's not an onerous request to ask you to use one with Bugzilla as well.

Sure. GitLab can do 2FA on top of GitHub 2FA. Why Mozilla can't? Why did Mozilla allow sign in on BMO via GitHub? If I may guess GitHub login was a replacement for Persona (aka BrowserID) which was in turn a more secure replacement for login/password.

Using a password manager makes this a streamlined workflow.

I don't trust Mozilla with my password and I don't trust passwords in general. As a volunteer I have a choice to not accept discrimination against my login method of choice based on corporate rules. Or did Mozilla Foundation vs. Mozilla Corporation distinction erode over the years?

I would also ask that you not abuse feedback flags to try to circumvent commit policy, if you would like to continue contributing.

OK. I'll just ask other people to request review on my behalf, granting authorship in the process. If that is still not acceptable, please, explain how Mozilla is any less evil than Google (where CLA forces to sign up for Google Account) when it comes to treating contributions from volunteers?

You need to log in before you can comment on or make changes to this bug.