Page MenuHomePhabricator

Prevent users from editing, disabling, or swapping their primary contact number while they have SMS MFA

Authored by epriestley on Jan 23 2019, 7:12 PM.



Depends on D20022. Ref T13222. Since you can easily lock yourself out of your account by swapping to a bad number, prevent contact number edits while "contact number" MFA (today, always SMS) is enabled.

(Another approach would be to bind factors to specific contact numbers, and then prevent that number from being edited or disabled while SMS MFA was attached to it. However, I think that's a bit more complicated and a little more unwieldy, and ends up in about the same place as this. I'd consider it more strongly in the future if we had like 20 users say "I have 9 phones" but I doubt this is a real use case.)

Test Plan
  • With SMS MFA, tried to edit my primary contact number, disable it, and promote another number to become primary. Got a sensible error message in all cases.
  • After removing SMS MFA, did all that stuff with no issues.

Diff Detail

rP Phabricator
Automatic diff as part of commit; lint not applicable.
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

epriestley created this revision.Jan 23 2019, 7:12 PM
epriestley requested review of this revision.Jan 23 2019, 7:14 PM
amckinley accepted this revision.Jan 23 2019, 8:24 PM
This revision is now accepted and ready to land.Jan 23 2019, 8:24 PM
This revision was automatically updated to reflect the committed changes.