lobsters
lobsters copied to clipboard
lobsters
It's easy to lose access to two factor authentication.
When my phone is formatted, stolen, or disposed of without registering TOTP to another phone, I'd be locked out of my account.
lobste.rs needs one of the following.
- (Show TOTP secret and) strongly suggest that users save the TOTP secret somewhere.
- Dispense one-time backup codes to anyone who turns on two factor authentication
Not everyone knows enough to save a hidden TOTP secret along with password. Without a strong suggestion, even a technical person could forget to store the TOTP secret.
Tom convinced me that one-time backup codes are a better solution than storing the secret, so I'd prefer to implement that.
The more backup codes there are, the less secure an account is. The longer the backup codes are, the more secure an account is. Backup codes are usually more susceptible to brute-force attacks than TOTP secrets are. A hacker only needs to obtain one of the backup codes once to compromise an account. Intrusions need to be detected and blocked early. Recovery needs to be secure but convenient.
Something like this would be fantastic as I've now found myself in this situation after a phone-related catastrophe.
While I agree that backup codes and the like could provide some account vulnerability, not being able to access your account is a poor alternative.
I can only picture that meme: "You're account can't be compromised if even you can't access your account."
I've lost access to my account by changing phones (old one no longer turns on). I cannot find anything that describes what I should do, I found this open issue by digging around off the lobste.rs site with a search engine.
The lost password recovery seems to work, but of course only resets the password whilst the TOTP hurdle still remains.
What should I do?
I also just bumped into this issue after changing phone. I was lucky in that I was still logged in on one machine so could disable/re-enable 2FA.
I'm also locked out of my account due to changing phones and can't seem to find any way of recovering my account. Could someone please point me to a solution?
@sorenmortensen
Reach out to me via email or IRC, at the address or nick you can find on my profile page, /u/alynpost. If I can verify you we can recover your account.
@alanpost As requested, here is the key you sent to me: pgqfxbbifo3gdf0gbcdp
Thank you @sorenmortensen. That demonstrates you control the GitHub account and email address associated with your lobste.rs account. Given the risk involved here that's sufficient: I've reset your 2FA. For folk reading in the same situation as Søren you can reach out to pushcx or myself directly and we'll perform a similar and sufficient process to verify you.
For folk working on our 2FA support thank you for any improvements you can make.
I also just bumped into this issue after changing phone. I was lucky in that I was still logged in on one machine so could disable/re-enable 2FA.
Which is arguably a problem in itself. I'm in favour that disabling 2FA should require a 2FA (to prove possession) or a recovery code.
Prompted by GitLab's recent policy change I think maybe we should get around to implementing recovery codes here and then maybe adopt the same policy of never resetting 2Fa. If we reset based on email/linked accounts - we've helped users, and I don't think we've yet seen ATO attacks, but our 2FA isn't really providing any added security anymore.
So, when user successfully enables 2FA, display 3 random string recovery codes (Utils.random_str(20)) and stick them in the user settings hash with a comma between them. The display should have a button saying "email codes to me" and a dire warning that, no really, if you lose these you're going to be permanently locked out. And then we can harden our hearts and accept that we may lose about one user per month over it, as that's our contact rate for resets. Or maybe design an arduous process where, in response to a plausible request (controls email/linked accounts, account logins stopped, nothing feels off), lock the account for a few months to give a real owner facing ATO enough time to recover their other accounts, and only then reset.
The other direction we could go would be to stop pretending our 2FA is a meaningful security control and remove all the 2FA code.
There is probably an authoritative 10k word essay out there on how to design this process from someone who works in security. If someone reading this knows where that article is, please submit it to Lobsters. :) Or DM/email me the name of the book it's a chapter in.
I'm used to copying the TOTP secret into my password manager, since it can't scan. Is this something being worked on? I haven't explored the code but maybe I could whip something up to show the code in the QR modal. Happy to open a new issue to track this.
As it stands, in order to get the secret I had to inspect the QR code DOM element and extract the secret from the data URL.
I'm currently facing a somewhat similar issue: a while back I disabled my Lobste.rs account, and deleted its entry from my password manager. As part of this, I forgot to disable 2FA first.
Recently I wanted to re-activate it (which is possible by just logging in again), mainly due to the recent Reddit SNAFU. Upon resetting the password, I was greeted with the 2FA form, and thus not able to proceed. I've tried Emailing @pushcx but without any luck so far (if the Email did arrive, sorry for the noise!) :disappointed:
While this particular case is probably a bit rare, I think it could be helpful to automatically disable 2FA upon flagging one's account as inactive.
Due to an accident, I lost my 2fac and face now a similar issue. I am locked out of my lobste.rs account with no way to recover. I tried to contact pushcx both via mastodon and mail without any luck. It would be great to have a way to recover from this or the ability to add a second 2fac (e.g. a yubikey).
@pushcx I am posting here to verify that I am https://lobste.rs/~cirla (this is the github account linked in my profile) and to request a 2FA reset at your earliest convenience. Thank you!
@pushcx I am posting here to verify that I am https://lobste.rs/~prinzpiuz, the GitHub account I verified, Please help reset my 2FA thank you
Mostly people email me, but I suppose it saves a round trip on email when someone's authenticated their github account. (I've followed up by email on these requests.)