Canonical SSO provider

authentication device help message incorrect

Bug #1880042 reported by Joe Guo
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical SSO provider
Triaged
High
Unassigned

Bug Description

on https://login.ubuntu.com/+device-help:

We need to remove the device from your account to prevent someone using it to gain access to your account. Please contact us immediately to resolve this! You can reach ISD in the #isd channel on IRC, or IS in the #webops channel, or phone the IS emergency helpline.

The message is incorrect:
1. #isd channel only has 3 users, seems not in use
2. confirmed with IS, they are not managing this site, also #webops is wrong channel to seek help from IS.

Revision history for this message
Daniel Manrique (roadmr) wrote :

Update the text to this:

"We need to remove the device from your account to prevent someone using it to gain access to your account. Please contact us immediately to resolve this! You can reach IS in the #is channel (the vanguard is listed in the channel topic), or phone the IS emergency helpline."

Changed in canonical-identity-provider:
status: New → Confirmed
importance: Undecided → High
status: Confirmed → Triaged
Revision history for this message
William Grant (wgrant) wrote :

I think it needs some more extensive updates, as it's not just Canonical employees who can get to that page AFAIK.

Revision history for this message
Daniel Manrique (roadmr) wrote :

The suggested change is already in production, and at least the page is now not entirely misleading :)

I'll leave the bug open because I agree that it's worthless for non-Canonical employees (but that was potentially the case before, anyway).

I was thinking about postponing further updates until we have the 2fa backup enforcement measures in place (lost your device? use your backup device to log in and delete the lost device immediately), and we can definitely think about messaging for people to report lost devices if they're not in a position to delete them swiftly.

This still falls in the "we cannot act on unverified action requests" bucket, so anything we do would need to take that into consideration. When the user is in a position to prove their identity more positively (via ssh/gpg key or backup device) they are also potentially in a position to self-delete the compromised device.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.