Dogfooders wanted for 2-Step Verification on chromium.org

[Paweł Hajdan, Jr.]

Hello Chromium developers,

The Infrastructure Team is planning to make 2-Step Verification mandatory for all chromium.org accounts. This is part of an effort to strengthen security of the infrastructure.

To make this process smooth, we’re starting with at least a 2 week voluntary dogfood.

Note that I’ve personally verified the typical developer workflow (i.e. accessing codereview.chromium.org, uploading patches, triggering tryjobs, landing changes etc) works when using 2-Step Verification. It doesn’t guarantee it’ll work for you though, or that less common tasks work, which are the reasons why we’re starting with an opt-in dogfood.

Please see https://support.google.com/accounts/answer/185839?hl=en for instructions how to enable 2-Step Verification for your account. Also see https://www.google.com/landing/2step/ for more general context.

Once you enable it, consider switching from SMS codes to a security key (https://support.google.com/accounts/answer/6103534?hl=en) or an app (https://support.google.com/accounts/answer/1066447?hl=en).

If you’re a Googler, you can reuse your existing security key. Otherwise, see https://support.google.com/accounts/answer/6103523?hl=en for possible ways to get one, and note that it’s optional and you can still use SMS codes or the app instead.

You can see the list of currently known issues at https://code.google.com/p/chromium/issues/list?can=2&q=Proj%3D2FactorAuth .

Report any issues using the following link: https://code.google.com/p/chromium/issues/entry?labels=Infra,Proj-2FactorAuth .

It’s totally fine if you opt out after encountering a blocking issue. Make sure to file a bug for it using above link, and use https://support.google.com/accounts/answer/1064203?hl=en to disable 2-Step Verification for your account.

Please don’t hesitate to ask any questions about this process, or related comments or concerns.

Paweł

[Jeffrey Yasskin]

FWIW, I've been using 2-factor on my Chromium account since 2012 with no problems, especially since `git cl upload` switched to oauth.

--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev

[Antoine Labour]

On Mon, Jul 27, 2015 at 2:53 AM, Paweł Hajdan, Jr. <phajd...@chromium.org> wrote:

I turned on 2-factor, but a git cl upload didn't ask for the 2nd factor (or credentials, actually). Is it because it somehow grabs the cookie from the browser, or because it had cached credentials? How can I test the git cl flows for the case where I would need to authenticate again?

Thanks,

Antoine

--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.

[Robert Iannucci]

depot_tools has been using oauth2 for a while now. I believe that the command that you'd need to run is `depot-tools-auth logout` to remove the cookies, and `depot-tools-auth login` to log in again. The cookies live in your homedir.

--
You received this message because you are subscribed to the Google Groups "infra-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to infra-dev+...@chromium.org.
To post to this group, send email to infr...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/infra-dev/CAMeTaZfvrZjNG-HNKbNTmSUz5SkQuLy-Mgrpnvm5Erc6CLoZUg%40mail.gmail.com.

[Antoine Labour]

On Mon, Jul 27, 2015 at 1:55 PM, Robert Iannucci <iann...@chromium.org> wrote:

depot_tools has been using oauth2 for a while now. I believe that the command that you'd need to run is `depot-tools-auth logout` to remove the cookies, and `depot-tools-auth login` to log in again. The cookies live in your homedir.

Thanks. I was surprised existing auth tokens were not invalidated when enabling 2-factor.

Antoine

[Robert Iannucci]

Yeah, that's actually a bit surprising, but IIUC, this would be a bug/feature for the internal authentication folks to answer.

[Mike Frysinger]

it makes sense to me. enabling 2FA means when you want to get new credentials, you need to use 2FA. the process shouldn't (at least silently) expire all existing authentications. think how many places you have that are logged in now ... it'd be a pretty bad experience to force a sync on them all. it also wouldn't really make sense as there is already an existing page for doing this.
-mike

[Robert Iannucci]

Right, from a convenience point of view, it's pretty clear that it's a better experience. However from a security PoV it seems a bit surprising, especially since many people enable 2FA after a call to arms such as "tokens might be compromised! enable 2FA to protect thyself!".

I do suspect it's WAI though.

R

[Mike Frysinger]

we could file a bug w/the security group that manages this site so that there is an explicit bullet point in the flow that calls it out.  what you describe didn't even occur to me as something that would even happen ;).

-mike

[Sunny Sachanandani]

I've been using 2FA since yesterday and it seems you need to use an app-specific password now if you use your chromium.org account as an alias in gmail. You won't be able to send mail until you do so, but you will be able to receive mail.

[Paweł Hajdan, Jr.]

Acknowledged. FWIW I was pulling @chromium.org email using POP and actually had to use an app-specific password to receive email.

Paweł

[Roger Tawa]

Wrt security, it might be related to the scope of the oauth2 token. For example, chrome itself uses an all encompassing login scoped token, and this is silently invalidated when 2sv is turned on. I'll ask the lso folks.

Thanks,
Roger

[Roger Tawa]

Wrt security, it might be related to the scope of the oauth2 token. For example, chrome itself uses an all encompassing login scoped token, and this is silently invalidated when 2sv is turned on. I'll ask the lso folks.

Thanks,
Roger

[Wez]

When you set up 2-factor the process includes a pop-up indicating that you'll need to re-associate any apps that you had logged-in to, which suggests that it's supposed to revoke any pre-existing tokens, surely?

[Aurimas Liutikas]

Did 2-Step verification get enabled for everyone? I am trying to sign in (I did not sign up for the dogfood) and I'm getting "Your organization's policy requires you to enroll in 2-step verification. Please contact your administrator for more information." without any details of how to do it. I tried going to the accounts page but that requires 2 factor auth too before I can change anything making me locked out of my chromium.org account.

Aurimas

[Scott Graham]

Me too. :(

[Scott Graham]

http://crbug.com/522801

[Anthony LaForge]

It did accidentally, yes, I just reversed it (removed the enforcement).

The UI controls for selecting a specific group give a very subtle indication of what is/ is not selected, and so everyone got selected versus just the people on the secu...@chromium.org alias.  

Kind Regards,

Anthony Laforge
Technical Program Manager
Mountain View, CA

[Paweł Hajdan, Jr.]

I think we also discovered that the setting doesn't seem to enable users who didn't have 2FA enabled to enroll once enforcement is in place.

We're discussing possible solutions to this.

Meanwhile, I'm not aware of any issues once one successfully enrolls, so my recommendation would be - please sign up for 2FA early. You'll still be able to opt back out if you hit any blocking issues.

Paweł

[Trent Apted]

On 20 August 2015 at 18:13, Paweł Hajdan, Jr. <phajd...@chromium.org> wrote:

I think we also discovered that the setting doesn't seem to enable users who didn't have 2FA enabled to enroll once enforcement is in place.

We're discussing possible solutions to this.

Was a solution found? :)

Patti is a converted intern from 2 years ago. Login attempts just direct to a page prompting for a code, and suggesting she "contact the system administrator". (There aren't any links or suggestions for who that might be).