Feedback on a 2FA Fail! The experience of it

[TimRudy]

Select Topic Area

Product Feedback

Body

Maybe this is an unusual scenario or maybe it's happened to lots of people.

I was encouraged to enable 2FA a few months ago, Dec 2022, so I did so. Now here's my user experience this evening:

Found I was logged out, that happens once in a while - but - I see a new page I've never seen before mentioning TOTP and, as subtext, SMS. I don't receive the SMS. So here are the first 2 problems:

• I've never in my life heard of "TOTP" or seen that acronym, so how could I connect that to the fact that I literally enabled 2FA with an Authenticator app, Microsoft Auth? I don't have a great memory either.

• It is very worrisome that I didn't get an SMS, so let me describe what happened - for me to blow off steam, also for constructive dialog because your UX sucks right now!!

  I asked myself if GitHub knows my phone number - no idea - by default, probably not!
  I tried again.
  Then, I started a complaint with my wife mentioning how a new "issue" comes up every couple of g**d** months in "not changing anything, finding the thing is broken" (you in this community know what I mean, right? It's insane, right?), and this time it might lead to me using "Recovery Codes" that I wrote down on a paper copy in file cabinet, because I'm an old guy, I'm like over 50!! And I have no intention of needing to start the process of using those. It was at that moment she went to get her phone & mentioned to me that she got a suspicious text. A few minutes before, sure enough...! (Whew!)
  Now let me back up a bit: Her number has nothing to do with GitHub. I asked myself, would I ever have used her phone or e-mail? No! However, I am obligated to have her email registered one place: the recovery email for my primary Google mail. Reason is out of scope here.
  The idea that her cell number appears in this saga really confuses me, but it could be because GitHub may know me by reference in some way through Google ("Login using your bank - using Google..."). I doubt that. I have GitHub as an eqi-important independent auth party in my records. If you know what I mean. I'm aware of no connection.
  But sites & services are getting people to sign up with passwords and 2FA, so mmmv.

I had 2FA for GitHub, there's no denying that. However I was unable to log in. Why me?!! I started to install "TOTP" app from the app store;

Step 1 trying to get in, I read:

Tip: To configure authentication via TOTP on multiple devices, during setup, scan the QR code using each device at the same time. If 2FA is already enabled and you want to add another device, you must re-configure your TOTP app from your security settings."

Explain that... In a time of frustration and trying to follow directions, that is unhelpful at best. It certainly gives "devices", authentication, apps, configuring, settings and setting up, a bad taste!

Once I logged in to GitHub, I saw and I complain that:

"Profile", "Settings" and their division into Email, Passwords, Settings, Account, Security, Billing, and god knows what else has no mention of phone number, is another unorganized tour of bullsh**, from 2 different points of departure, that you can probably improve. The problem there has a name something like Category Error or Mixing & Spreading things Badly. It probably comes from legacy history. I feel for your devs because I feel sorry for your whole mess.

I followed:

1. Download a TOTP app.

2. In the upper-right corner of any page, click your profile photo, then click Settings.

I'm savvy enough to figure that scanning a QR code or clicking inside this new app is not going to get me very far - if I'm LOGGED OUT.

(So I went to the support site/wizard. It is not bad.)

In the self-help steps,

Please ensure that your SMS number is the one you've added to your GitHub.com account.

That was not possible:
A) When you're logged out
Also:
B) When you're logged in. A phone number was not seen anywhere. This is a really weird piece of UX:

It displays a phone number. Do you know why I say that it didn't display my SMS phone number, when it was in view mode, not edit mode? Because it didn't! It displays my number now that I've entered it and verified it. But when it was my wife's number, no, it didn't display it!

That's not good. That's a bug.

(Personal experience: If we had had a relationship breakdown or were in different cities, I would be up the creek. Even as it was, she wasn't going to say anything to me. I know you can say this is my problem. This only becomes (hugely) relevant if you guys discover you have an opaqueness or a UI bug, or a conceptual screw-up about a 2FA default.)

Objectively, there is a mystery: Why MY phone number was not solidly entered in GitHub in the secondary 2FA. Or if I had typed it in and used it last December, then how come it was opaque and invisible? (Contact me privately if this is a huge embarrassing problem bordering on the corporate culpability, you know where to reach me.)

Next issues that I have, I need to put in their own sidebar:

1. There is mention of a 28 day test-it-out period, and some other mention of a 45 day period of making sure things work. Those are meaningless to me. I never read any email, or anything, about those and those concepts are opaque. Now, they probably have nothing to do with my case, where I voluntarily initiated this Kafka-2FA in Dec 2022.

2. Self-help wizard said:

Do you have other 2FA options enabled for your account, such as security key or the GitHub Mobile app configured as a verification device?

This illustrates the problem I had from the get-go: The new login page said "TOTP" and did not mention Microsoft Authenticator. It turns out that my primary 2FA was set up in Microsoft Authenticator - and it even has its own separate thingy saying GitHub. Can you help me with that by mentioning it, somehow?*

I could have used that method, then the secondary 2FA phone number that was wrong wouldn't have been noticed by me, I wouldn't have installed TOTP, I could have logged in as designed, and avoided major frustration!

*Internally when looking at Profile in GitHub, one sees example of this:

Password managers like 1Password, Authy, Microsoft Authenticator, etc...

3. Where it talks about the fear-inspiring Recovery process - I was nowhere near a Recovery - was I...? I was not. But this:

Recovery codes... you'll be able to regain access if you:

• Lose your phone
• Delete your authenticator app
• Change your phone number

It suggests that providers of 2FA should present it well; and should maybe reconsider because it seems to have some big downsides.

• Losing my phone is unlikely, never happened, but it is 100% possible! Great. (Great fear.)

• Deleting my authenticator app, for me, my habits and passive-aggression toward IT, is absolutely quite likely. Things like this have happened to me. I wish I wasn't vulnerable somehow, and it's again an issue of fear.

• Changing my phone number - same as the first: It only happened once for my cell phone, it's not projected to happen, but it is 100% possible.

Hence all 3 of these have a chance of happening to me! Can you do something to improve the UX?

Don't get me started on how I was parking in a new city last weekend... I had to make up a new secure password & download an app so I could park my car.

I'm blowing off steam, I gotta go. This was terrible.

[ghost]

This is exactly why I'm letting my account get locked on the 3rd and moving to Gitlab permanently.
Ever since Microsoft purchased Github, the developer experience has consistently been made worse, in line with Microsoft's Embrace, Extend, Extinguish policy.

[geomorillo]

Im not gonna use this 2fa shit so im moving to another free service.

[i8964]

They microsoft are data brokers. Steal everything and sell them