Cannot close MFA prompt after clicking on Email Address section in Account Settings

[Oshino Shinobu]

Browser, version and OS: Chrome 95.0.4638.69, Windows 10 64 Bit.

 

Steps to reproduce/what were you doing before it happened?

Open account settings and click on the Email Address section.

 

What happened?

MFA prompt immediately appears and there is no way to close it or move to any other settings section without navigating to a different URL.

 

What did you expect to happen?

Either have a button to close it or only prompt for MFA when submitting the request to change email address, not as soon as you click on the Email Address section as it prevents you from clicking to the other settings sections if you accidentally click on Email Address like I did.

 

Link to a page where it happened, if applicable: 

https://linustechtips.com/settings/email/

 

Screenshots of the issue, if applicable: 

 

Any other relevant details:

Obviously, MFA needs to be enable for this to happen. I am using Google Authenticator, not sure if this is the same when using other MFA methods. 

 

[Skiiwee29]

Thats expected behavior to prevent account hijacking and an extra layer of security. In order to reach this page, you have to enter your 2FA code. Only way around this is to navigate to a different page, or enter the code. 

[Oshino Shinobu]

33 minutes ago, Skiiwee29 said:

Thats expected behavior to prevent account hijacking and an extra layer of security. In order to reach this page, you have to enter your 2FA code. Only way around this is to navigate to a different page, or enter the code. 

Just a button that takes you back to https://linustechtips.com/settings/ seems like it would make sense, rather than locking the page, or only prompt once you've hit save. 

 

You can unlock the page by just removing the popup element, so don't see how this is really any additional layer of security (ban the F12 key /s). I haven't entered my MFA code here but the page is unlocked by just removing the popup element. If I hit save, it prompts for MFA as you'd expect (which again, locks the page with no way to back out). 

 

[colonel_mortis]

11 minutes ago, Oshino Shinobu said:

You can unlock the page by just removing the popup element, so don't see how this is really any additional layer of security (ban the F12 key /s). I haven't entered my MFA code here but the page is unlocked by just removing the popup element. If I hit save, it prompts for MFA as you'd expect (which again, locks the page with no way to back out).

If you try to submit, it will fail unless you completed the MFA prompt, so it's not just client side security. I agree that there should be a cancel option though.

[Oshino Shinobu]

1 minute ago, colonel_mortis said:

If you try to submit, it will fail unless you completed the MFA prompt, so it's not just client side security. I agree that there should be a cancel option though.

Yeah that's what I'd expect. MFA should obviously be required to change the email address for the account. 

 

The problem is that it appears as soon as you click on the Email Address section and cannot be cancelled without navigating (outside of the web page, so enter a new URL) or entering your MFA code. It shouldn't really ask for MFA until you actually hit save and even when it does, it should still have a cancel option. The prompt locking the page doesn't serve as any layer of security as you can just remove it to unlock it again, so seems an option to cancel should be there instead.