Cold sweat: recovery codes didn't work!
Hi there,
I just started a seldom-used FF profile to have it synced (you lose FF sync connection if you don't log in within 2 months, I think…). I set up my account for decent security: 2FA, wrote down the recovery key and recovery codes.
As I changed the password recently (didn't re-generate said recovery strings), I expected the disconnected state, all right. So I proceed on entering my new password, and out of curiosity, decide to make as if I didn't have the 2nd factor on hand
The Firefox Sync dialog page now asks me for a "Recovery code" that's 10 digits long. To my great surprise, none of those I saved when first setting up the account worked! I know I didn't use any of them.
More, the terminology had me confused: when is a recovery key used vs. code? Both files contain "Recovery codes" in their name, besides, a "digit" is: "1 any of the numerals from 0 to 9, especially when forming part of a number." Nowhere in Firefox Sync a string of 10 "digits" generated: the "recovery key" is 32 character long, in 8 sets of 4 characters, and the "recovery codes", as I understood it, 10 "character" long (and there are 8 of them), number and letters, so not digits.
Why none of my codes worked? Would have it been necessary to generate a new set after changing password?
Wšykne wótegrona (5)
You use the 32 character recovery key when you reset the password to prevent losing data stored on the Sync server.
You use a 10 byte recovery code if you use 2FA and do not have access to your authenticator app to generate the 6 byte TOTP code. Note that you still need 2FA access, either via the app or via a recovery code, if you want to reset the password and use 2FA.
I think I understand despite the even more confusing usage explanation: now a digit is the same as a character is the same as a byte. However i learnt that a character (number, letter or symbol), at least in UTF8, is represented on 8 bits i.e. one byte, so the recovery codes consists of strings of 10 characters each, or 80 bytes, while FF Sync server asks for 10 digits as if it were a bank card NIP.
Now the TOTP code is supposed to be 6 bytes long, i.e. 48 bits, which is correct, but still referred to by FF Sync as digits and properly describes what the user will see on his/her TOTP-generating app or token.
Confusing, isn't it?
But still, why none of my codes worked? Would have it been necessary to generate a new set after changing password? If not, this is rather worrisome.
Byte is the same as a character in this context as only normal 8 bit ASCII is used for the recovery key and recovery codes :wink:
…Agreed but the FF sync login page refers to "digits", and "character" or "byte" are nowhere to be found.
In any case, was it necessary to re-generate recovery codes after changing password? That would defeat the purpose of recovery codes IMHO.
The TOTP code is six digits, but the recovery key and 2FA recovery codes can include alphanumeric characters as well. I don't think it is worth the time and effort to discuss how to word those character strings, but to concentrate on the issue you reported if this is still not fixed.