How do I remove MFA from phabricator?

Hello, I have lost access to the MFA key on phabricator, and now I can’t remove it.
can an administrator remove it? i have the same username and email address over there.
sorry if this isn’t the right place for this, i have no clue where i should put this

Given that the whole point of 2FA/MFA is that you cannot login without knowing e.g. the TOTP it would be quite counterproductive if you could simply remove it. While the administrators can unlock accounts, this something that in my opinion should never be done, as it poses a great risk for social engineering.

Imagine if someone had gained access to your e-mail account and now tries to take over your Blender account on developer.blender.org. The MFA prevents that from happening, even if they know your password. Since we do not personally know you, we have no way of verifying whether you are who you claim to be or if you are pretending to be koopa512.

That being said, this is not my decision to make. @troubled @ThomasDinges

2 Likes

Is like loosing your encryption keys :confused:

It can be arranged, but as Robert mentioned, there are so many things that can go wrong with honoring requests to remove 2FA from total strangers on the internet.

Short of walking into the studio with photo ID to prove your identity and allowing us to store a copy for proof, before a reset, I don’t know what a good policy is for such requests.

I defer to the higher ups.

i still have a login session, is there any way i’d be able to use that to verify that I own, or at least have full access to that account?

I’m not the person to force my ideology and policy, unilaterally, on the users.

I can tell you that no such policy exists yet with regards to these types of questions, nor do I wish to create a de facto one through random Q&A on a forum buried deep inside one of our websites.

Now, that said, I do sympathize with you! I think it’s stoopid that we can’t just remove it without a second thought. However, could you imagine the consequences of removing 2FA after being socially engineered by a random person on the internet?

Consider what could happen if a person had taken over the account of someone, possibly deceased or incarcerate, that had commit access to the official repo, then started to masquerade as a developer. Prove their identity? Sure, that’s easy…wait, that’s right, we can’t prove anything because we don’t track that personally identifiable information before we hand out access, nor do we periodically validate any of the users that we have now.

Also, I really don’t want to get into what appears to be a new weekly trend of “Hey can you remove my 2FA by proving my identify using ? kthxbai!”, from 50 people a week.

Anyway, it’s a tough situation. Perhaps you can appeal to @Ton? I answer to the boss man!

1 Like

So Troubled, it’s @DesD here, I have been in contact with you about the same problem 2FA, lost through my main device being wiped, it’s madness. Question, Could the recovery codes for validating ‘blender.chat’ not be used in a similar way for verifying the identity and ownership of my blender.developer.org account? Or am I locked out of it until I personally visit Blender HQ, and prove my I.D. This is just an idea?

There really should be a process to reset 2FA tokens. I don’t know how to do that, but it’s just a fact of life that devices break and backups failed. Stuff breaks.

If losing your 2fa keys means there is just no way to reset them and you are locked out for ever, that means I’m not going to use 2fa on any blender website…

I was just thinking about setting that up for extra security, but this thread makes me scratch my head and decide to stick to a ridiculously long password.

I just removed my two-factor.

I’d rather be less secure, than to be inevitably locked out.
Losing access to authenticators or phones has happened to me before.

I have found the following Linux KDE distro-site in which they developed the phabricator 2FA: [:anchor: T8449 Replacement of KDE Identity System] (⚓ T8449 Replacement of KDE Identity System).
On this you can see they are or were developing a recovery method for the 2FA system used by the blender.developer.org site. But it seemed to stall, they mentioned Yubikey a USB, automatic ‘NFC’ (Near field Comms) login which requires no password or 2FA, just the USB used as a login key. This is the direction I’m going in for all my accounts. I hope Blender Foundation has it implemented before I buy them, I will be checking this. I hope this helps anyone who finds themselves in a similar situation.

Hello, Baardaap, and kaio, I am telling you this to solve your worries about the blender.developer.org 2FA that I am having. First of all, I have lost access to my account, it’s not the end of the world, I will get it back, when I am on holiday in Holland. No problems. Your worry about being locked out of your account can be solved by simply copying or print, the barcode you need to scan to set the 2FA up at the start, store this in a safe place where no one can get to it, obviously. Save it to an external encrypted USB stick, and/or, hide the printout somewhere only you can get to it. This now means you don’t need to worry about your account’s security because it’s 2FA protected, and if your device gets damaged or lost, with the barcode you can simply setup the 2FA connection to a new device and use that one. Problem solved for you. I wish I had someone advising me of this when I set my 2FA on my developer account. But hey, I get a holiday to Holland and the Blender HQ, LMAO.

1 Like

OP was still logged in when he lost his MFA key, which arguably was an opportunity for the site admins to verify his session logs, assuming Phabricator even allows this.
The lack of engagement seems a little odd given that Phabricator does not even give you options for MFA recovery, but it might also be that OP got things sorted out behind the scenes, so what do I even know.

Preemptively storing a QR-code is hardly a practical solution given how common MFA is today.

I hope you get a tour, though :slight_smile:

Yes, kaio,

I hope I get the tour too, that would be excellent. Thanks.

I was logged in until a system’s update changed that, and then I realized the 2FA device was not there to recover from it. But I have had this strange idea that verifying my I.D. through Github might provide me with the verified credentials that I need to convince the Blender Team, I am who I say I am. Did I just start an Eminem tune? LMAO!

Anyway, I’m hoping this works, but taking a trip too Holland to visit the entire Blender team would be good also. I might wait until the BCON 27-29 Oct, 2022, is over, I tend to avoid major events like this now a days. It might actually be next year before I visit. I’m hoping the ‘Github’ option works before then.

1 Like

Why didn’t you highlight my name directly, and wait 3 months? You don’t “invoke” me by mentioning my name. :wink: You’re lucky that I even noticed this thread without notifications on it.

The only mention I had was a few months ago by Thomas Dinges that someone was going to contact me about a 2FA, and never heard anything about it. I presume this was you?

Looking at my rocket chat logs, @ThomasDinges said on October 11th that you were going to email me, but no such email arrived.

Yes, I asked DesD to send you an e-mail to verify.

1 Like