How do I remove MFA from phabricator?

Hello, I have lost access to the MFA key on phabricator, and now I can’t remove it.
can an administrator remove it? i have the same username and email address over there.
sorry if this isn’t the right place for this, i have no clue where i should put this

Given that the whole point of 2FA/MFA is that you cannot login without knowing e.g. the TOTP it would be quite counterproductive if you could simply remove it. While the administrators can unlock accounts, this something that in my opinion should never be done, as it poses a great risk for social engineering.

Imagine if someone had gained access to your e-mail account and now tries to take over your Blender account on developer.blender.org. The MFA prevents that from happening, even if they know your password. Since we do not personally know you, we have no way of verifying whether you are who you claim to be or if you are pretending to be koopa512.

That being said, this is not my decision to make. @troubled @ThomasDinges

2 Likes

Is like loosing your encryption keys :confused:

It can be arranged, but as Robert mentioned, there are so many things that can go wrong with honoring requests to remove 2FA from total strangers on the internet.

Short of walking into the studio with photo ID to prove your identity and allowing us to store a copy for proof, before a reset, I don’t know what a good policy is for such requests.

I defer to the higher ups.

i still have a login session, is there any way i’d be able to use that to verify that I own, or at least have full access to that account?

I’m not the person to force my ideology and policy, unilaterally, on the users.

I can tell you that no such policy exists yet with regards to these types of questions, nor do I wish to create a de facto one through random Q&A on a forum buried deep inside one of our websites.

Now, that said, I do sympathize with you! I think it’s stoopid that we can’t just remove it without a second thought. However, could you imagine the consequences of removing 2FA after being socially engineered by a random person on the internet?

Consider what could happen if a person had taken over the account of someone, possibly deceased or incarcerate, that had commit access to the official repo, then started to masquerade as a developer. Prove their identity? Sure, that’s easy…wait, that’s right, we can’t prove anything because we don’t track that personally identifiable information before we hand out access, nor do we periodically validate any of the users that we have now.

Also, I really don’t want to get into what appears to be a new weekly trend of “Hey can you remove my 2FA by proving my identify using ? kthxbai!”, from 50 people a week.

Anyway, it’s a tough situation. Perhaps you can appeal to @Ton? I answer to the boss man!

1 Like