Closed Bug 1628596 Opened 5 years ago Closed 5 years ago

locked out of account using 2fa - can't access

Categories

(Cloud Services :: Server: Firefox Accounts, defect)

Product:
Cloud Services
Component:
Server: Firefox Accounts
Version:
75 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: tomse0008, Assigned: jrgm)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0

Steps to reproduce:

(using 2FA)
Forgot password, when trying to setup sync a password reset was initiated.
After initiating the password the 2FA needed it's code.
Having recently changed phones and not transfered the 2fa app this was impossible.

Actual results:

I've been locked out of my mozilla account.
using 2fa and recently changed phones without moving the auth.

a forgotten password on one computer started a password reset, and ended up in being locked out.

The security codes was lost or not downloaded in the first place.

Expected results:

It should be possible to recover access to the account.

Someone mentioned in the forum link below, that without the 2fa/password auth there would be no way of identifying who I am.
Well you have the email address which is the account, so a mail to there would be a good start.

Just creating another account doesn't help with services like monitor.

The question was asked in the forum
https://support.mozilla.org/en-US/questions/1278773

Assigning "Cloud Services - Server: Firefox Accounts" component.

Assignee: nobody → jrgm
Component: Untriaged → Server: Firefox Accounts
Product: Firefox → Cloud Services

To avoid the possibility of being socially engineered into giving up access to user accounts, we are unable to remove 2FA from user accounts, nor are we able to delete accounts with 2FA enabled. Please see https://support.mozilla.org/en-US/kb/what-if-im-locked-out-two-step-authentication#w_i-lost-my-two-step-authentication-device-canaot-find-recovery-codes-and-donaot-have-a-logged-in-device . I wish I could give a better answer, but we do this to protect users from having their Sync data compromised by malicious parties.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX

I find it a bad design or management, that it's just tough luck, never to fix.
Of course it's possible, it's bound to an email I've used and had for more than 20 years.

"but we do this to protect users from having their Sync data compromised by malicious parties."
A deletion of the account or contents will not compromise the data.

Funny thing, other companies can give a waiting period of 1 month or more, but still give the possibility for a deletion, and re-registration and start over. This is due to a possible email account hack.

The bad design here is that you use the email address as an account name.

You need to log in before you can comment on or make changes to this bug.