Guild icon
S3Drive
Community / support / Password reset doesn't work when 2FA / MFA enabled
Avatar
Ga 5/31/2025 7:22 AM
Hi, I purchased a lifetime Ultimate license of S3Drive during the last Black Friday sale, and decided to wait for a while before start using it. Today I tried to login, and the system claimed my password was incorrect, neither typing nor copying from my password manager worked. I attempted to reset my password, but it says something about AAL2 session. I have no idea what AAL2 is, but it seems to be related to MFA. Please note that during my attempts of login or password reset I was never asked to provide my TOTP code and I couldn't find anyway to perform MFA verification. I tried both Android app and PC browsers (Firefox and Edge) and all failed. Could you please help me to access my account again? Thank you.
Avatar
Avatar
Ga
Hi, I purchased a lifetime Ultimate license of S3Drive during the last Black Friday sale, and decided to wait for a while before start using it. Today I tried to login, and the system claimed my password was incorrect, neither typing nor copying from my password manager worked. I attempted to reset my password, but it says something about AAL2 session. I have no idea what AAL2 is, but it seems to be related to MFA. Please note that during my attempts of login or password reset I was never asked to provide my TOTP code and I couldn't find anyway to perform MFA verification. I tried both Android app and PC browsers (Firefox and Edge) and all failed. Could you please help me to access my account again? Thank you.
Tom 5/31/2025 7:37 AM
Hi, Thanks for supporting the project and sorry for the troubles that you're experiencing. Can you send what's your e-mail using DM or support@s3drive.app, so we check your account on our end? Can you send a screenshot of the error which mentions AAL2? Based on your comment it seems you've never activated 2FA, does it hold true? Thanks!
Avatar
Ga 5/31/2025 7:55 AM
Thanks, I will send the screenshot to support@s3drive.app. The error is "AAL2 session is required to update email or password when MFA is enabled". I have enabled 2FA on my account and I can still generate its TOTP code, but I wasn't provided a way to type my TOTP during the password reset process. Honestly I'm not sure if the TOTP would still work seeing how my password became invalid on its own. Thanks very much for helping.
Avatar
Tom 5/31/2025 10:53 AM
Thanks we've received an e-mail and analyzed the issue. It seems that there is an issue with MFA redirection in our auth library that was introduced recently: https://github.com/supabase/supabase/issues/35940 Before we address this topic reliably, there is a workaround that can be used. Once you're displayed the Password change prompt, please open new tab using this link: https://web.s3drive.app/mfa/verify Provide your 6 digits code, and submit, after which your session shall be upgraded to AAL2 . You can then navigate to previous password change tab and change password. If by any chance you've closed it when opening MFA verification page, you can manually navigate in your browser: https://web.s3drive.app/password-change Please let me know if that helped and sorry for the inconvenience. (edited)
Tom changed the channel name: Password reset doesn't work when 2FA / MFA enabled 5/31/2025 10:53 AM
Avatar
Ga 5/31/2025 11:19 AM
Thanks very much for the instruction. I've successfully reset my password and can login without issues.
Avatar
Ga 5/31/2025 11:39 AM
One more thing which may be related to the MFA prompt issue. On computer browser, if I login the web drive directly through https://web.s3drive.app/, I will get a MFA prompt. However, if I login through https://s3drive.app/ ("Login" on the top-right corner), I will get to a page showing my purchase history and a link to the web drive without being asked for MFA code. If I then navigate to the web drive, it won't ask for MFA and I will be in an unverified state.
Avatar
Avatar
Ga
One more thing which may be related to the MFA prompt issue. On computer browser, if I login the web drive directly through https://web.s3drive.app/, I will get a MFA prompt. However, if I login through https://s3drive.app/ ("Login" on the top-right corner), I will get to a page showing my purchase history and a link to the web drive without being asked for MFA code. If I then navigate to the web drive, it won't ask for MFA and I will be in an unverified state.
Tom 5/31/2025 12:39 PM
Thanks for your feedback. In both cases when user logs in using their e-mail / password, they receive valid login session, but if user has MFA/2FA enabled then we need to enforce additional rules and lock resources behind the AAL2. We do do that for Drive resources, so as such all our clients https://web.s3drive.app and mobile/desktop will require user to pass the MFA login prompt. As you rightly pointed out the: https://s3drive.app/account (being a separate website from Drive: https://web.s3drive.app/) where user can see their purchases and manage them isn't protected at the moment, which we'll address in the near future.
If I then navigate to the web drive, it won't ask for MFA and I will be in an unverified state.
We've just addressed this shortcoming in a most recent Web build. The error: The specified session requires MFA login should no longer appear, instead user will be redirected to MFA verification page.
Avatar
Ga 5/31/2025 1:13 PM
Thanks for the quick fix.
Exported 9 message(s)
Timezone: UTC+0