2FA cannot be mandatory

participation
privacysecurity
login

#1

Hi. I just got to a discussion here in discourse.mozilla.org that I wanted to join. So I tried to login or register. I tried a passwordless login, but it didn’t work. I tried my GitHub login, but got the “you need 2FA” error. Then I tried Firefox login, and the same error showed. Then I tried Google login, and got “you have to use your most secure login, which is Firefox login” or something like that. I happen to manage my whole life without 2FA and everything runs smoothly. And then I am forced by an entity that says it’s “open” etc to start using a security measure I simply don’t want. Why? Because given the right “persuasion” upon theft of your device, the possession of it allows aggressors to make more damage and have more control of your accounts then they would if I could just reset my passwords using a secretly known second e-mail, for instance. Sure, these are two approaches, each of them with its own risks. But that’s exactly the point: it’s up to the user to choose which risks one’s willing to take and which ones not, right? This login system is the most aggressive I have ever seen anywhere online, even considering non-democratic countries! A “dictatorship of [insert any value you consider the most important in life]” is still a dictatorship, ok?

But did I say I don’t want to use 2FA? Let’s switch from “don’t want” to “can’t”. To use 2FA, one could be forced to spend a lot of money buying a device that one really shouldn’t be forced to buy. Do not forget you are not setting up a login for users from North America and Europe only. We’re talking about the whole world, which means a lot of people have their digital homes in public/shared computers and have access to no other electronic devices (at least not Internet connected devices).

And what is the most absurd of it all, to discuss anything regarding IAM system, you first have to successfully login using IAM itself. Cool, right?

No. Not cool. I eventually got in through a temporary e-mail by passwordless login. Does this sound any right?

So sure, 2FA can sound amazing for some. But change socio-economic (including urban violence) reality and you may switch your side on this matter. And even if you don’t, and even if I am completely wrong, I still shouldn’t be forced to adopt something (that only affects my security).

(BTW, Mozilla accepts my 1FA to store and sync a lot of sensitive info, like browsing history, open tabs, bookmarks etc. but does not accept the same security level for discussing in a forum? This is really, really bad decision making…)


(Henrik Mitsch) #2

Hi @here_there_everywhere,

We hear you. And we are working on the UX and business rules in Mozilla IAM. You are not alone with your frustration about the current state.

At this point I am quite certain that we will be able to come back with better news before the end of the year. So please bear with us.

In the meantime we have a couple of options we can offer:

  • We can reset your account so you can use Google as authentication provider. If you want this, please send me a message to hmitsch@mozilla.com with your email address.
  • We can try to investigate what’s wrong with that initial email auth that went wrong in your case (and reset you to that method). In this case please send me an email too.

Regards,
Henrik


#3

Hi Henrik,

I think “by the end of the year” is too far away, specially for something so aggressive as this is felt.

Since it’s a Mozilla service, I’d be glad to use my (1FA) Firefox account. But if it isn’t possible, I’d happily use Google login. I’ll e-mail you about this, using “IAM: upset_user login troubleshooting” as subject. Thank you.


(Henrik Mitsch) #4

Hi @here_there_everywhere,

unfortunately FxA+1FA is not a supported scenario at this point. We reset your profile and you should be able to use Google auth now.

Best regards,
Henrik


#5

Thanks for resetting, but it didn’t work, as I described in the email I just sent you.

BTW, users should have an easily accessible button to make this reset when they that error I saw! Please make this happen ASAP for everyone else.


(Henrik Mitsch) #6

For the record: Issue is finally solved. :slight_smile:


(Ranjith Raj) #7

This twitter thread by the head of threat intelligence at Google seems interesting.


#8

My personal issue is solved, indeed. But, just to make it clear, the issue is not solved, right?

My personal issue required two steps for solution: first, Henrik (@hmitsch) had to pull some levers to reset my profile login mechanisms or something like that; but I also had to perform some very risky and tricky operations with one hand to turn off the problematic autologin thing, as instructed by Henrik: “What you can do is clear the autologin method from localStorage, by running localStorage.removeItem(‘nlx-last-used-connection’) in the Console of your browser Developer Tools. This needs to happen while on the auth.mozilla.auth0.com domain, so best stop page loading as soon as you get to that page”.

So he did his part, I did mine, and I am clear, as I can now login using a Google account. But everyone else is still behind.

This error message [https://discourse-paas-production-content.s3.amazonaws.com/original/3X/c/5/c52a3496936c123e4a029d821ff570e422214375.png] should also contain (1) instructions on how to work around it and (2) a button for users to self reset their profile’s login (as it is needed to achieve the workaround). And this should not wait until “the end of the year”.

(BTW, there are other people not wanting mandatory 2FA that already managed to eventually get to this forum and say it: [IMPORTANT] Changing the look of your login, Can't log in to Mozillians, etc.)

But, as for my personal issue, this topic can be closed.


(Leo McArdle) #9

Yes, the general issue isn’t solved.

Solving the root of the problem - technically preventing users from getting into this situation, or providing them an easy way to get out of it (requiring no admin intervention) - is what’ll take until the end of the year. Not because it’s not a priority, but because it’s a complicated problem with many technical, security and UX implications. It’s being actively worked on.

Better messaging to reduce the number of users who are getting into this situation is also being worked on, and will be done well before the end of the year.


#10

Since we are still here discussing 2FA in general (see @ranjithraj 's reply above), we should always consider the risk of 2FA backfiring: if I steal your device and know your password, I have full (and stable) control over your account. I can change password recovery option, secondary e-mail, even switch 2FA to live in a second device (of my own): at the end, I can even get to “be you”.

And there’s what’s in the middle: I could simply loose access. Say I use a FIDO U2F key and loose it somewhere (or it’s in my backpack, or in my car, when they are stolen): even if the thieve doesn’t know what it is, I don’t have it with me anymore…

So adopting 2FA (of any kind, or any other security solution for this matter) always means trading one risk for another! So this cannot ever be mandatory.

I would suggest simply removing 2FA requirement whatsoever and for good.


(Leo McArdle) #11

Yes, but stealing your phone requires physical access, where just stealing (or guessing, or phishing from you) your password can be done remotely, which is much much easier to do. So while 2FA isn’t perfect security, perfect security doesn’t exist:

That’s why 2FA backup codes exist. And there’s always the last resort of manual intervention to help you recover your account.

2FA isn’t mandatory for everyone, but as has been said in this thread we need to improve messaging and flows so that those users who don’t need to enable 2FA don’t get stuck in a position where they have to.

That won’t, and cannot, happen. 2FA is far more secure than single factor authentication, and is a requirement because confidential information is accessible on discourse.


#12

Thank you for the XKCD quote. Just perfect.

As to the reasoning in the last sentence (“2FA […] is a requirement because confidential information is accessible on discourse”), the conclusion does not follow (necessarily) from the reason given: many people have (much more) confidential information elsewhere and 2FA still isn’t mandatory (e-mail accounts, banks…).


(Leo McArdle) #13

Just because some banks and email providers don’t practice good security doesn’t mean Mozilla shouldn’t.


#14

Just now: it took about 40 minutes + a number of attempts to login here - is it normal ?!


(Hidde de Vries) #15

@BioLocator: that doesn’t sound good, could you describe what happened?


#16

My problem is similar to

[quote=“here_there_everywhere, post:1, topic:30352”]
got the “you need 2FA” error. Then I tried Firefox login, and the same error showed.[/quote]
For Discourse Firefox login is useless. AT ALL.
After 2FA turning ON was discowered necessity to install Authy application on
my tablet. Without nearest Wi-Fi AP it turned up very interesting exercise)
But it was only first fun exercise from several others.
For unclear reason installed Authy application had produce wrong codes - it was more fun trick). Only after many unsuccessful attempts to login I guessed to reinstall Authy and go all the way again.
It’s hard to believe for me that it’s behind…
Finally I got into real paranoiac company?
Next time that quest will need to be repeated? Thank you very much…


(Hidde de Vries) #17

I realise 2FA isn’t always so much fun to set up.

One way to get around it here on Discourse is by using Passwordless login, this works by entering a new email address and choosing ’Send me an email’. Note that if the email address is the same as the one you registered before, it will ask you to use Firefox Accounts with 2FA.

Hope this helps!


(Vlads777) #18

Same issue here. Totally agree with the OP’s views.


(Henrik Mitsch) #19

Hi @vlads777 and @BioLocator,

do you still have any login issues with Mozilla IAM?

Best regards,
Henrik


(ME) #20

(I guess not.)
https://www.businessinsider.com/world-population-mobile-devices-2017-9 :
Unique mobile subscribers globally passed 5 billion in Q2 2017; over two-thirds of the world’s population is connected by mobile device. Many 2FA devices are even cheaper than a mobile; there are $10 ones that don’t require network access. And some (such as fingerprints & faces) are $0. There are several that are paper-based - e.g. Grids and simple OTPs, (e.g. PPP)

More importantly, I’m convinced the benefits of pushing it far outweigh the downsides. Of course 2FA is a hassle. But generally, we’re doing our users who don’t use 2FA a favor by pushing them to act in their own longer-term self interest - well, except that as this thread makes clear, it’s actually far from mandatory. The poster who installed Authy may well be a good example of someone who’s been done a favor they may not appreciate-yet. But that sort of attitude is not really one that fits the Firefox vibe, so it’s appropriate to make the changes that folks have said are already planned.

Just my 2¢, and I did just have to set up 2FA for my mozilla account, but it was easy, as I use it elsewhere - most, if not all places I go that offer it. And I’ve recently felt the pain - been through the hassle of dealing with a lost second factor - definitely a better experience than that of discovering and dealing with that an account had been breached.