Github login issue


(Lusito) #1

Why is it suddenly required to use 2FA on discourse.mozilla.org?
I can’t even login via email, as it says I need to use my github login.
This is a new account I set up just for asking this, as the really helpful “need help?” button on the login form just sends you to another login form!


(Henrik Mitsch) #2

Hi @Lus1to,

I guess your original profile is @Lusito?

You had used Github login previously. We implemented a business rule in Mozilla #iam which requires people to use their most secure login. The hierarchy is:

LDAP > GitHub+2FA > Google > (Passwordless) Email

In your case GitHub+2FA is the most secure authentication provider. That’s why we ask you to keep using it.

If you need help in setting up 2FA on GitHub, please take a look at https://wiki.mozilla.org/IAM/Frequently_asked_questions#Q:How_can_I_set_up_two-factor_authentication.282FA.29_for_my_github_account.3F

Hope this is helpful?

Best regards,
Henrik

/cc @yousef @leo


(Lusito) #3

Yes, my original profile is @Lusito.

I’m asking why is it required to use 2FA? Why can’t I decide which way to login?
I’ve read too many horror stories and reviews where 2FA got people to lose access to their accounts.
I don’t really want to use 2FA until it has matured and if possible there should be an app that is not made by google (the only alternative, duo only has a couple of thousand users and also a lot of bad reviews).

Aside from that, I want to be able to login even when my phone is dead, stolen, has no battery left or simply when I have no internet access on my phone. Worst case scenario my house burning down with all my data in it, then I lose access to my account? No thanks.


(Henrik Mitsch) #4

Hi @Lus1to,

actually I think you just helped us to identify a gap in our Mozilla #iam business rules. I will file a feature request and post the link below.

Please be advised that most Mozilla Staff is on vacation until early January. So we cannot get this implemented in the short term. @leo will follow up with you in a bit to offer a temporary solution for Discourse.

Best regards,
Henrik


(Henrik Mitsch) #5

Here is the link to the #iam feature request:


(Leo McArdle) #6

Yeah… that’s not ideal, thanks for letting us know - we’ll get it fixed.

I would disagree and say it it mature, but I completely understand if you don’t want to use it. This requirement was implemented with users who have access to confidential Mozilla data in mind, which makes it a bit heavy handed for everyone else.

Personally, I use Authy for 2FA, and I’m a big fan of it - especially because it encrypts and backs up my keys in the cloud, so if I do ever lose my phone then I just need to download the app on another one, and enter my password.

There are even open source 2FA apps: https://freeotp.github.io/

TOPT, the protocol behind most 2FA implementations, doesn’t require internet access to use, as it uses the current time to generate the code you use. So, the only requirement is that your clock is relatively accurate.

I’ll take it into a PM.


(Leo McArdle) #7

Not sure what the best solution is here, but I’ve proposed a few:


(Lusito) #8

@hmitsch Thanks for taking this seriously. I can see the use for logins that have access to confidential data.

@leo: I will take a look at your links when I have some free time. Thanks.


#9

Here is another user with this issue: https://bugzilla.mozilla.org/show_bug.cgi?id=1433327