Using 2FA for production has strange interactions with staging
Bug #1041125 reported by
Jonathan Lange
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical SSO provider |
Fix Released
|
High
|
Unassigned |
Bug Description
I've had 2FA set up on login.ubuntu.com using Google Authenticator for a couple of weeks. Today, I tried to log in to login.staging.
I was prompted for a 2FA password. I entered the password from my GAuth app, but it didn't work.
I looked into my device list (https:/
I was able to add a device, but when I did, the barcode wouldn't scan and it asked me to enter with the same account name (<email address hidden>). When I entered the account & AES key, it overwrote my production account on GAuth.
Changed in canonical-identity-provider: | |
assignee: | nobody → Ricardo Kirkner (ricardokirkner) |
Changed in canonical-identity-provider: | |
status: | Confirmed → Triaged |
Changed in canonical-identity-provider: | |
assignee: | Ricardo Kirkner (ricardokirkner) → nobody |
Changed in canonical-identity-provider: | |
status: | Triaged → Fix Released |
To post a comment you must log in.
Thanks for reporting this. Staging and production 2-factor was recently decoupled and you seem to have found a few glitches that we missed :(
> I was prompted for a 2FA password. I entered the password from my GAuth app, but it didn't work.
This is because, although we removed all 2-factor devices on staging, we didn't update the "always require" setting. It doesn't seem to prevent altering devices but we should probably update it globally anyway, to avoid further confusion.
> I was able to add a device, but when I did, the barcode wouldn't scan and it asked me to enter with the same account name
> (<email address hidden>). When I entered the account & AES key, it overwrote my production account on GAuth.
We should have a difference name on staging. The setting "twofactor. twofactor_ service_ ident" has a default of "UbuntuSSO". We should over-ride this in the staging config to something like "UbuntuSSOStaging" or similar.