Open
Description
I newly created an Fedoraproject account and enabled 2FA, resulting in being locked-out from the account, as the log-in didn't accept the OTP token I entered.
After the token got reset I tried it again. This time I stayed logged in on one device to play around a bit more. Following are my steps taken and what I found:
Steps taken
from device 1:
- logged in
- added an OTP token
- confirmed with my password
- scanned the QR code
- entered the generated OTP token to confirm
- kept logged in
from device 2:
- tried to log in now with enabled 2FA
- failed with error "Unauthorized: bad credentials"
from device 1:
- went back to settings
- tried to disable 2FA again, but as it announced on enabling it
already, it doesn't allow to remove all OTP tokens - tried to add a second OTP token, which, now as 2FA is enabled already,
requires the password AND and OTP token to confirm - confirmation fails with "Incorrect password", weird because I use a
password manager and autofill it, so mistyping it is basically not a thing - as the password contained extended ASCII and specials I decided to
generate a new alphanumerical one to test - went to the password settings and filled in the current password, the
new one and the OTP token - changing the password went fine, so on changing the password it
accepted the OTP token :o
from device 2:
- tried logging in with new password and OTP token again
- still failed
from device 1:
- tried again to add another OTP token
- still fails with "Incorrect password"
Right now the OTP token got reset again on my account and I'll wait for a response from here, before I try it again.
I'm using a current Firefox on Fedora and the Authenticator App andOTP on Android.
I'm especially flustered that it works on confirming the new token and changing the password, but not for loggin in or adding another token.
Activity