TL;DR: I ended up with 2FA disabled and recovery key enabled
Hello people !
I'm currently testing Firefox Account features such bookmark syncing and its login secu… (διαβάστε περισσότερα)
TL;DR: I ended up with 2FA disabled and recovery key enabled
Hello people !
I'm currently testing Firefox Account features such bookmark syncing and its login security (not password storage/sync). Unfortunately I'm having big trouble authenticating myself to the service right now.
I have 2 testing accounts with the following configuration :
- I've setup 2FA authentication.
- I did not set a secondary email.
- I did not set an account recovery key.
Here are some of the tests I'm doing :
- I start by doing several login/logout to check if 2FA is working as expected.
- Then I add a secondary email then make it primary then remove the previous primary email.
- Then again login/logout several times to check if 2FA is working as expected.
At some point I'm unable to login after some iterations of step 3) above.
- At first I get an error saying my 2FA code is incorrect. But it allows me to login successfully using one of my 2FA backup.
- Then again I logout/login several times to check if 2FA is working as it should be.
- Then at some point I get the same error again saying my 2FA code is incorrect. Trying several unused 2FA backup fails with error saying they're also incorrect.
- Then it finally says that I've tried too many time and suggests I should retry 15mins later.
- When I try to login after some time it then ask me for an authorization code sent to my email. But then it says every authorization code I try is also incorrect.
- I managed to disable 2FA from on one of the account I was still logged in Firefox. But when trying to login on another Firefox profile then I get the same error saying I tried too many times.
Just for clarification - Please note that I may have use one or two 2FA codes instead of authorization keys when it asked me so. But I did not mistyped any 2FA or auth code I've tried.
And after several hours of giving up on it - the problem suddenly vanished and I could login/logout fine.
As a precaution I add a recovery key and decided to disable 2FA because I can be sure it will work as is should.
Maybe I get locked but I dont know what really happened. I believe I did not a lot of login abuse though.
I just feel like it's a big issue for my case because I could not rely on the 2FA backup and authorization keys.
The error didn't help either because it likely says I've been locked. Whereas having one or two mistyped codes or using "several correct 2FA backup and auth keys" which were wrongly considered incorrect - should not be treated as a login abuse or brute force.
From now on I will likely disable 2FA if using this service. I understand these tests are not things you do on everyday use but I can't imagine how bad it would feel if I have sync sensitive data such as passwords and have to wait hours to unlock access to my account (even if not to access those data).