Unable to login - Invalid authorization key or 2FA codes or tried too many times
TL;DR: I ended up with 2FA disabled and recovery key enabled
Hello people !
I'm currently testing Firefox Account features such bookmark syncing and its login security (not password storage/sync). Unfortunately I'm having big trouble authenticating myself to the service right now.
I have 2 testing accounts with the following configuration :
- I've setup 2FA authentication.
- I did not set a secondary email.
- I did not set an account recovery key.
Here are some of the tests I'm doing :
- I start by doing several login/logout to check if 2FA is working as expected.
- Then I add a secondary email then make it primary then remove the previous primary email.
- Then again login/logout several times to check if 2FA is working as expected.
At some point I'm unable to login after some iterations of step 3) above.
- At first I get an error saying my 2FA code is incorrect. But it allows me to login successfully using one of my 2FA backup.
- Then again I logout/login several times to check if 2FA is working as it should be.
- Then at some point I get the same error again saying my 2FA code is incorrect. Trying several unused 2FA backup fails with error saying they're also incorrect.
- Then it finally says that I've tried too many time and suggests I should retry 15mins later.
- When I try to login after some time it then ask me for an authorization code sent to my email. But then it says every authorization code I try is also incorrect.
- I managed to disable 2FA from on one of the account I was still logged in Firefox. But when trying to login on another Firefox profile then I get the same error saying I tried too many times.
Just for clarification - Please note that I may have use one or two 2FA codes instead of authorization keys when it asked me so. But I did not mistyped any 2FA or auth code I've tried.
And after several hours of giving up on it - the problem suddenly vanished and I could login/logout fine. As a precaution I add a recovery key and decided to disable 2FA because I can be sure it will work as is should.
Maybe I get locked but I dont know what really happened. I believe I did not a lot of login abuse though. I just feel like it's a big issue for my case because I could not rely on the 2FA backup and authorization keys. The error didn't help either because it likely says I've been locked. Whereas having one or two mistyped codes or using "several correct 2FA backup and auth keys" which were wrongly considered incorrect - should not be treated as a login abuse or brute force.
From now on I will likely disable 2FA if using this service. I understand these tests are not things you do on everyday use but I can't imagine how bad it would feel if I have sync sensitive data such as passwords and have to wait hours to unlock access to my account (even if not to access those data).
Modified
All Replies (4)
Make sure to use a trusted internet based time service and verify that the time and timezone are correct on the mobile device with the authenticator app as the TOTP code is only valid for thirty seconds.
cor-el said
Make sure to use a trusted internet based time service and verify that the time and timezone are correct on the mobile device with the authenticator app as the TOTP code is only valid for thirty seconds.
Thank you I know TOTP requires a correct time sync but that should not be the whole issue here. If 2FA codes are incorrect because of incorrect time sync then that should not lead to 2FA backup codes being wrongly considered "incorrect" when not mistyped. In addition, that should not lead to authorization keys received by email being considered "incorrect" when not mistyped either. These 2FA backup codes and authorization keys sent by email are there to recover login when for some reasons your TOTP fails (should it be an unsynced time service, a lost 2FA device or else). Otherwise, they're useless...
An authenticator like the Google one shows how long the code will be valid and if only a few seconds are left best is to wait for a new code. Confirmation codes send via email arrive for me within seconds and always work for me (I use Gmail), but if you have a slow email service then the code may expire. I don't think that Firefox account works with TOTP code send via email (only codes to verify a new device).
cor-el said
An authenticator like the Google one shows how long the code will be valid and if only a few seconds are left best is to wait for a new code.
YES I am aware of that and I did wait few seconds after the TOTP timer start and made sure I have enough seconds left before it expires. I did so with Google Authenticator and with other password manager which support TOTP (because I wanted to test both to make sure TOTP works correctly).
cor-el said
Confirmation codes send via email arrive for me within seconds and always work for me (I use Gmail), but if you have a slow email service then the code may expire. I don't think that Firefox account works with TOTP code send via email (only codes to verify a new device).
When I say "authorization keys" sent by email then I mean codes sent by email and which must be provided during the login process on Firefox account. These are NOT TOTP codes and these are NOT codes to verify a new device (though they may or not have such use). The service does not always ask for such "authorization key" but it sometimes does when it considers there's should be an additionnal security check. Once auth key is validated then the service will ask for 2FA code.