All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
DigitalOcean quietly enabled 2FA behind your back: lose a domain? lose your DO account
Heads up if you have your DO account on some fringe domain you might forget to renew.
Or an E-Mail provider, or ISP which went out of business, or you stopped using them.
Lose being able to receive E-Mail on that domain, lose your DO account entirely, you won't be able to even log-in to change the E-Mail address.
Admittedly I didn't log-in to this account for a while, but back when I did, I never had to enter any "6 digit code" to do so. It appears at some point that became a requirement -- without any warning or consent from the user's side.
Luckily in my case I still have the domain, but I've long disabled receiving mail on it. Now have to re-enable it and wait for DO's DNS caches to expire(?), so they can resend their valuable fucking mail. What a load of hassle.
Comments
Or, you could, you know, try contacting them. If your email address with them was deactivated, it's hardly that they "sprung" this on you.
You could send in your passport, but not sure if someone goes so far.
Usually you should not do that, for privacy concerns.
No idea what happens if you open another one.
I believe they only do this on unrecognized logins, ie. from unusual devices or locations. For me it usually happens when I travel to a new physical location.
(Also, it's not really 2FA; for something to be true 2FA, it has to require compromising a different system from the one you're logging into, and that's not the case for verification e-mails. Not that it's not useful, but it's not 2FA.)
Problem with that is - what is unrecognised?
Every time I've been on holiday and left my laptop for a week, when i got back google didn't recognise the login anymore.
With DO, unless you're ordering new services or reinstalling a current service I guess most people don't ever need to log in. Unrecognised is probably almost every login.
Of course, with letting a domain you use for email lapse - DO verification is probably one of the lowest of concerns - but, it's interesting to think about.
Or an E-Mail provider, or ISP which went out of business, or you stopped using them.
Lose being able to receive E-Mail on that domain, lose your DO account entirely, you won't be able to even log-in to change the E-Mail address.
You know that email is pretty key to getting access to the account or verifying ownership, so if you value the service then make sure the address used is accessible.
Blaming a provider for wanting to make sure its really you after not logging in for so long is bad how?
One day providers will wipe your ass for you, not today though.
I recently had that experience when I lost my .io domain and it wasn't the most pleasant thing to encounter.
I get this about once every 12 hours, it's annoying.
Not gonna complain though, I prefer too much security over too little.
I get this basically every login. uBlock kills their fingerprinting js, at least.
It's defined differently by different organizations, of course. If I had to make a guess, I'd expect Google to follow a rule along the lines of "once we've seen 3 days where the user did not connect from system A but they did connect from elsewhere, system A becomes unrecognized".
That would account for both casual users (since they'd not connect often at all), and provide increased protections for 'power users' (automatically and quickly locking out old systems to prevent compromise).
I'm not sure how DO does it. It may well be something similar.
They've been doing this for weeks? Especially if you log in from a different PC.
Probably this
This does not occur if you have two factor enabled on your account.
I'm sure everyone here has accounts with providers where you didn't login for weeks. And on some of those there might be even some credit left. And if everything is running well, maybe even some running services (prepaid). It's very easy to forget to keep your E-Mail address or other details up-to-date on all of those.
I think longer than that...I remember encountering this last year when I was traveling more. Every time I logged in on the road, I had to go through this process (which I didn't mind at all).
I don't think it's unreasonable for DO to say "you registered from this email, so we're going to assume you still have it because you didn't use the method we provide to change it".
I think you're in a pretty small corner case.
If it makes you feel any better, Vultr has $2.50 instances in stock in New Jersey at the moment...
This has certainly happened to me, given the amount of accounts everyplace on the internet wants me to sign up for. If I leave something unused for a long while I probably don't remember it enough to update if my address changes. It's not so good to invalidate someone's login/password unless there's some evidence of an actual compromise. Given the amount of 3rd party javascript on DO's login pages maybe that's another security area they could address first.
What a risqué title.
Certainly from a high level perspective, but I'd like to point out that features like this don't get implemented just to do it. I'll leave the details to the imagination, but this was a direct response to a problem and it largely resolved it.
At the end of the day, every change will upset someone, including no change.
Besides, not using two factor authentication is leaving security on the table and choosing against it. Using it, one does not face this issue. There's no excuse for relying solely on passwords where 2FA is an option in 2018. Someone who doesn't take their account security seriously is a liability in a shared environment.
I use it for DO, Vultr, Hetzner and so many others. Single Andriod app on phone, job done. Then I store the manual codes somewhere else for when my phone dies.
Far too convenient not to use 2FA nowadays for the protection it provides.
Having to type in long strings of random characters is a really hideous solution.
Right, and that's good. But now you've made your phone a "lose me and you'll be spending long nights typing a code for every login in your life" which is bad.
This is largely why I've preferred SMS codes vs. a phone-based authenticator. Lose my phone would suck, but when I get a new phone, I don't lose any 2FA. Having to go account-by-account and type in recovery codes would be...well, hideous.
And it's not just losing your phone. If you replace your phone via upgrade or switching, etc. you also lose your Google Authenticator registrations.
Is there an option to print out and store QR codes? I need to investigate this more.
SMS codes really aren't safe, I know people who've lost money due to their numbers being stolen.
Social-engineering a cell provider is alarmingly easy.
Is this even 2FA?
Bro, do you even auth?
Not a big deal, they are electronic, copy and paste once, disable 2FA temporarily if really necessary until I get a new phone. If you live in fear of losing your phone to not use 2FA then that's just a bit nuts frankly.
Setting it back up is then done the next time you log in. It's like a 60-second process.
No.
I sync my 2FA codes across more than one device. This technically reduces the security to a degree, but is still so incredibly more secure than simply using a password alone.
What DO did in the opening post? No. Just an "is it really you check".
Nope. Fixed the problem it was set out to fix though
Edit: I mean I guess technically it could be. Two factor at the core of the two words simply means two separate things required, right? Password and emailed code is technically "two factor" in that perspective, I suppose.
I do have 2FA enabled on DO and I verified that I can login with it without an email confirmation, so that's good. I didn't try the fallback codes so I hope they also aren't affected. But if you've had some kind of mass breach attempt, I'd look for less troublesome ways to mitigate it. Throttle and throw captchas at persistent IP addresses, temporarily lock accounts after too many wrong password guesses, check everyone's hashed password against haveibeenpwned, that sort of thing.
So has anyone sued DO for this yet?
This seems hard to do depending on your 2fa mechanism. It would be nice if a standard developed, where services implementing 2fa would also generate a backup code, encrypt it under a public key uploaded by the user, and email the encrypted code to an address the user specifies or else just store it online someplace. Then a special app could download the encrypted codes and decrypt them with a user-supplied private key (long string or QR code snapshot) and restore them to a newly installed (such as on a new phone) 2FA app.
Right now one of the hassles of 2FA is saving the backup codes someplace other than my phone. Maybe I'll try to concoct some solution like the one described above.
If there is money for nothing by suing, count me in.