manager
manager copied to clipboard
ovh
Deleting 2FA App requires 2FA App's code
Describe the bug Unable to delete 2FA App (Google Authenticator) without 2FA app's code
To Reproduce Steps to reproduce the behavior:
- Go to Account > Security
- Enable 2FA and add Google Authenticator (or MS Authenticator etc)
Expected behavior Be able to delete 2FA app without the code from that specific 2FA app. If you lose your phone for example...
Screenshots N/A
Desktop (please complete the following information):
- OS: Windows
- Browser Chrome
- Version 78.0.3904.108
Smartphone (please complete the following information):
- Device: N/A
- OS: N/A
- Browser N/A
- Version N/A
Additional context
This can be found in user-security-totp-delete.controller.js > deleteDoubleAuthTotp it calls DoubleAuthTotpService.disable code before deleting however API enforces 2FA id AND 2FA code for /me/accessRestriction/totp/{id}/disable so it returns an error and does not proceed to DoubleAuthTotpService.delete.
This should be bypassed and go straight to DoubleAuthTotpService.delete.
I am happy to submit a pull request for this but would like to get some feedback first on the intended functionality and side affects of just skipping DoubleAuthTotpService.disable as I'm not too familiar with this code/api
The delete popup should also be altered to not require the 2FA code and instead have a confirm delete popup
Hello @tadhglewis,
thanks for this report.
I will ask the teams what should be done about this and then I'll come back to you :)
Hi, already talked about this in the end of April 2019 with Thomas SOETE, and yes it is still an issue. And it's not just a manager UI issue, behaviour has to be changed on the API side first (you cannot delete an enabled 2FA, and to disable it, you have to use that 2FA method)
@julieni Ah I see what you mean regarding the API, I'll leave this issue here until this is changed on the api and then I'll submit a pull request once this has been changed.
This is still an issue. Only way to remove an 2FA - even if another one is registered - is to go via the support.
Being unable to quickly revoke a 2FA auth source you no longer have access to is a huge bummer and serious security issue... So if you do everything right but get your phone stolen while you were using it (so phone unlocked) you have no other option than to rely on OVH support to be quick enough to handle your support ticket?!
@TrogloGeek if you want anything from OVH quick, you should call them and not go through a ticket.
Anyway - the solution is not fast support. That by itself is a security thread - if it is too easy to get support to remove 2FA that is a much bigger security thread than being unable to remove an old 2FA. As it is more likely to have a social engineering attack than having your 2FA stolen. If someone steals your 2FA (esp. phone) than most likely they want the phone, not the 2FA. If you worry about targeted attacks to steal your unlocked phone, you might want to update your thread model: From my experience, it would be a lot easier to get OVH support to remove your 2FA instead of stealing it.
Haven't worked on anything that uses OVH in a while but I keep noticing this GitHub issue come up on my activity feed...
This is insane that it's still an issue. It's a basic security feature.
@FlorianLudwig regarding your point on calling them, no, from experience you cannot call them for security related things, whenever I contacted OVH for security things (including by support ticket or email) they told me to email [email protected] with a copy of my identification.
@tadhglewis I had 3 2FAs in my account (two mobile numbers, one hardware key). I asked them to remove one of the mobile numbers (not sure anymore if via phone or ticket) - definitely without any identification (never done this in years of beeing a ovh customer). Maybe that security issue only exists for ovh.de though.
Thanks everyone for your feedback.
Just wanted to let you know that this issue has been reported to the team and we will keep you posted once a patch will be deployed.
Thanks, Antoine
I cannot remove a link to an app without having access to the app. I changed phone, accessing the app is impossible. How long has this issue been reported, and it is still not fixed? This is insane.
This needs to be fixed ASAP as this is a huuuuge security Issue. We need to disable Admins that leave the company and WITHOUT access to the mobile App.
Bumping this thread- -still an issue. My phone is gone and i just want to clear the device
The same applies to the physical 2FA keys. To delete a key, you need to authorize using exactly the same particular key. Other keys are not accepted, although they can be used to access the account. This poses a great risk of others accessing your account when the affected Yubkey is stolen, as you are no longer able to remove it.
Please fix this issue. I have an unknown device showing up in my list of mobile applications I need to delete.
Please fix this. I tried to delete mobile app from settings and It is still not possible without 2FA from this app.
The solution was to contact support and spill the beans on all of your account details to the support agent to ensure that you are who you say you are. Its clunky as heck when you're already logged in and can see all of that data without the TFA.
This is still an issue. Only way to remove an 2FA - even if another one is registered - is to go via the support.
Going through this now, and its a pain in the backside, have to provide screenshots of the error, I've had about 6 messages back and forth so far and am now waiting after the issue was excalated.
Clearly the +1s have been doing nothing. This is going to get made a priority when they get a lot of support requests and its eating up time. I wonder if theres not actually many people needing it, or most people just cant be bothered and leave the dead authenticator on the account.
In my case I reset the device so its not an issue but what about cases of a stolen device or ex-employee. Being unable to remove a stolen authenticator is a pretty big security vulnerability IMO.
You also cannot delete old tfa's without the tfa you want to delete it seems which leaves open a huge security hole in your account.
Clearly the +1s have been doing nothing. This is going to get made a priority when they get a lot of support requests and its eating up time. I wonder if theres not actually many people needing it, or most people just cant be bothered and leave the dead authenticator on the account.
In my case I reset the device so its not an issue but what about cases of a stolen device or ex-employee. Being unable to remove a stolen authenticator is a pretty big security vulnerability IMO.
Totally agree.
To everyone: please don't post here that you agree - it only triggers the notification for everyone who is subscribed here hoping for news on the resolution.
Please report it instead via the support or your account manager as a security issue.
Hi, now that https://github.com/ovh/manager/pull/10084 is out, the TOTP and the Webauthn/Fido scheme are not the same any more on the dashboard / security view, Webauthn/Fido scheme are allowed to be removed without getting the key backs to the computer, while TOTP have to be typed to be removed, it's quite confusing.
The logic here is understandably broken and likely should be reworked to be such that once you're logged in either via email reset or administrative reset that the TFA needs re-enabled. You should probably already have your email secured with a TFA if you rely on TFA. Since passwords are intended to not be based on an algorithm quantum factorization isn't a concern so much and if you have a reasonable password beyond a reasonable limit given the combination of retry limitations and password complexity along with healthy alerting and user account locking.
