Two-factor authentication (2FA) seems not to work

Volker · November 25, 2019, 7:00am

I think only someone of the @admins group can do this.

gabrieleb · November 25, 2019, 8:45am

Hi Jeroen,

I’ll have a look today.

Regarding the underlying issue with 2FA: we are aware of it, and we are hoping to fix it with the next discourse update. In the meantime, the only workaround is not to use 2FA or ask for it to be disabled if you get stuck.

The update is in the backlog, we’ll let you all know when the time comes

Monica.Ciovica · November 25, 2019, 10:48am

Hi Jeroen, I disabled the 2FA for your account
For the time beeing, please redirect to me any users that have a similar need.

fair2fair · December 29, 2019, 10:28am

Today I also tried to setup 2FA on this forum and it still doesn’t work for me. The code for initialization was not accepted.

corvuscorax · December 30, 2019, 3:45pm

I tried to enable 2-factor, but the activation fails. The page claims the token is wrong.

Also I noticed, when I tried to go through the step multiple times, I always got the same base32 secret/QR code displayed, it never changed. Is that auto-generated based on email, or is it a hardcoded sidewide secret? It probably should be randomly generated every time someone (re-)activates 2-factor auth, especially in case the 2nd factor gets stolen (phone lost) being able to reset the secret would be important.

kolaj · June 9, 2020, 7:26am

This forum still doesn’t accept any 2FA code from my authenticator app (Authy). I’ve now used one of my backup codes to log in and disable 2FA for the time being. Re-enabling 2FA doesn’t work as no auth code is accepted. @gabrieleb Any update on this matter? Thanks in advance!

gabrieleb · June 9, 2020, 8:02am

@kolaj, no news for the time being, sorry. Still in the backlog.

Cheers,

maba007 · June 26, 2020, 10:53am

For serious? A simple security feature that could make the accounts of this forum so much more secure? My first report was in October 2018!

BertG · June 26, 2020, 11:54am

My bet would be, that the forum is just an “add-on” for Fairphone and no target of highest priority.
Since 2018:
They have taken care to get the FP3 on the market on time, tweaking even the hardware (# of screws to fix the display) as late as mid 2019 (if I recall it right).
They were - at the same time - working on Android 9 for the FP2.
So, most likely, the forum was kind of neglected (and maybe 2FA was not that popular with forum users to make it really urgent?). Plus - just a possibility - this matter is not as simple and trivial as it seems?

Just a kind of explanation my imagination came up with and not meant to justify it. Honestly, I am totally undecided on this.

maba007 · June 26, 2020, 12:19pm

Better no forum, as an insecurely operated forum.
A trade-off would be to increase the requirements for password complexity.

gabrieleb · June 26, 2020, 12:52pm

Hey @maba007

Better no forum, as an insecurely operated forum.

This sounds a bit of an over-reaction.
Are you correct in thinking this should have been resolved already? Yes, and you have all the rights to voice your concern.
Is the forum a platform that becomes by default insecure without 2FA? I don’t think so.

A trade-off would be to increase the requirements for password complexity.

The current password limitations include:

Minimum of 8 characters
Minimum of 6 unique characters
A dictionary of common words that are not allowed.

I sincerely doubt the average user would need more than this once 2FA in working order. On this topic, please see below.

About the issue at hand

The IT team is working on redeploying the forum to a different host. We are working on doing a clean install and an import of the database, which should both solve some of the issues we are having and allow for easier maintenance in the future.

@BertG wrote:
Plus - just a possibility - this matter is not as simple and trivial as it seems?

Sorta. We don’t know what is causing the problem, but we don’t feel comfortable poking around with the risk of creating bigger issues at the moment. That’s why we are approaching the problem at a higher level (see above).

I hope this helps brightening the mood a bit

Cheers,
G.

maba007 · June 26, 2020, 1:03pm

Thanks for the clarification.

gabrieleb · July 5, 2020, 2:38pm

@maba007, FYI: IMPORTANT: planned forum downtime due to server maintenance

gabrieleb · July 9, 2020, 12:28pm

@maba007, @kolaj, @corvuscorax, @fair2fair, @JeroenH.

You should now be able to (re)enable 2FA

fair2fair · July 9, 2020, 1:44pm

I can confirm that 2FA works.

kolaj · July 9, 2020, 3:13pm

Works, thank you very much!

Marv · July 9, 2020, 10:08pm

Good things come to those who wait thank u!

Snafu · July 10, 2020, 12:38pm

Works like a charm, even with U2F. Thanks a lot guys, very good work!

maba007 · July 10, 2020, 5:14pm

It works, perfect, thanks a lot!

system · October 8, 2020, 5:14pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.