Best practices for disabling 2FA codes for users


#1

Hi,

I am running an instance.

I have got a help requset via an email from a user, who says he/she had setup 2FA then later lost both of the device and the recovery code, wanting us to disable for the account.

Basically I don’t suppose he/she is lying.

But if one can disable 2FA for any account by requesing via email, then IMHO, it is just the security level of the email account that protects the Mastodon account.

So, I’d like to know how an instance admins here will/shoud treat if in this situation. Just ignore him/her, or is there a way that helps?


#2

Ask him to mail you from Email address used in account


#3

That is my point. Given admins doing so, if once I had gained someone’s email account, I would be able to take over his Mastodon account, by requseting the admins to disable 2FA, without stealing his 2FA-registered device. Then for what 2FA on Mastodon instances matter?


#4

we have the 2fa reset button to allow admins to use their judgement on what level of security is required for users. even by just putting the human in the loop it’s still more secure then it would be without 2fa


#5

I’m kind of suspicious that they claimed to have lost the recovery code though… how did they manage to lose both at the same time?


#6

Perhaps they physically lost the phone, or the phone stopped working. I’m not sure what 2FA we are using, I haven’t tried to set it up, because I don’t have a phone I can set it up on. And, I’m not sure what to make of this either.

My suggestion is, that the only way to figure this out is to use your judgement.


#7

His explanation is that he had ignored it because he thought it would be able to recover 2FA through SMS or something, which of course Mastodon currently does not come up with.

Agree with the human judgement is the key, but reasoning of the judgement may vary on the instance. What standard would you depend on in such circumstance?


#8

I agree with our judgement is the only way, but there may be some standards for it. What would you try figue out in such a situation?


#9

I’m not sure that I can give any “rules” or really what I would use in my own case. I think part of it may be, “do I have any idea who this person is?”


#10

Hmm, this topic might be irrelevant for “Troubleshooting”. I had used this tag because it does not seem I could not create a topic just in “Server administration”, but with “Troubleshooting”.

I think the “rules” or standards for the judgement should be vary on the kind of an instance. For <10 users instances admins may be able to contact the user in face to face basis. For ones with >100 uses it would be hard.

I would like to know the different opinions from admins of different sized instances.


#11

I’ve moved the post for you, let me know if you think that works!


#12

In general:

  • I will try to contact them on some other platform, such as twitter, IRC, matrix, etc that they’ve previously mentioned on their mastodon account, to make it harder on an attacker (who would have to guess ahead of time where I would contact them and also compromise that account, which may or may not be 2fa protected)

  • If I can’t find any reference to an external account, I generally then disable 2fa anyway, as it’s usually a user who has just set it up and ran into trouble very soon after.


#13

Thank you for making the purpose of this topic clearer!

Finding external accounts seems to work well most of the time. I will try it next time I’m in this situation.