On account recovery with two-factor authentication


posted on Sept. 4, 2021, 6:30 p.m.

In light of recent events, DMOJ administrators have decided to not process any support requests about account recovery, starting January 1st, 2022. If you lose your second authentication factor, you must use the recovery code generated when you enabled two-factor authentication (2FA). If you do not have a recovery code, access to your account will be lost forever. This is done purely for security reasons, to protect you from social engineering attacks.

Two-factor authentication is designed to protect an account even when the password (or equivalently, the email with which the user could reset it) is compromised. Therefore, a genuine recovery request is indistinguishable from the following attack:

Suppose you are Alice, and an attacker Mallory has somehow gained access to your email. Then, Mallory can send an email to the DMOJ admins, claiming that she is Alice, has lost her phone, and begs the admins to reset 2FA. Since the admins do not know either Alice or Mallory in real life, it is conceivable that an admin could be tricked into believing Mallory is really Alice and granting the request. Now, Mallory obtains access to the account Alice, even though 2FA is supposed to prevent her from doing so.

Therefore, the only option DMOJ admins have to safeguard your account security is to ignore all support requests about account recovery. Please keep your recovery codes safe. If you don't know them, you can go to the edit profile page, regenerate them, and store them in a safe place. Thank you.


Comments