https://devcenter.heroku.com/articles/recovery-codes#mfa-verification-using-a-recovery-code
If you want to log in but don’t have your primary MFA verification method available, you can easily log in with a pre-generated recovery code.
Select Choose Another Option.
Enter a recovery code.
Each recovery code is good for one use only. Codes remain valid until they’re used.
Choose another option... isnt an option. Locked out of Heroku account after changing phones and their documentation is inaccurate. Any help?
Related
My mac brokedown.Thus, I can't use the touchID to verify myself anymore on heroku. Thus, the only other option is to use 1-time password generator which I don't even have it setup & you need to login (and verify) to be able to setup. What shall I do? How can I gain access to my heroku account?
Heroku recommends having a back-up in place:
We recommend registering another verification method to ensure that you can log in to Heroku on other devices where a built-in authenticator is not present.
and:
Recovery codes provide an important backup if your usual MFA verification method is not available. For example, if you normally use Salesforce Authenticator but forget your mobile phone one day, you can still log in using a recovery code. Generate a list of ten single-use recovery codes that you can keep in a safe place until you need them.
This is always a good idea when using MFA with any service.
If you do not have another authentication method registered and you don't have recovery codes, you'll have to ask for help. How you do that depends on whether you're a member of an enterprise account:
Registering multiple MFA verification methods is strongly recommended.
If you’re a member of a Heroku Enterprise Account and need help with recovering access when your MFA verification method isn’t available:
Your Enterprise Account admin can generate a temporary verification code that allows you to log in to your account (starting August 2021)
You can contact support for help.
If you're not a member of a Heroku Enterprise Account:
e-mail account-lockout#heroku.com for help.
We may request additional information to recover access to ensure that an attacker is not attempting to access your account.
I sell Macs and i'm looking for a way for our security and to combat purchase fraud to have the machines phone home the first time they are booted up to show that machine has been in use at the clients IP address.
Now I know the client might set the computer up at a location other than their home and could spoof their IP (although the potential scammer wouldn't realise this system was in place so wouldn't be expecting to do this) but any system is better than no system.
In terms of privacy we'd put it in our privacy policy but of course we're not looking to collect any information from the user apart from their IP address and the script should delete once its connected to the internet for the first time.
How would users recommend the best way to do it? I have full access to the computers before hand and we already launch a script on first boot of user account to show a welcome and help guide - so we could add simple scripting there, but maybe a helper program which attempts until internet connection is first established, makes contact and deletes itself is best.
And of course we'd need a two pronged approach, a URL or API of some sort on our server that the computer connects to. Ideally the information to send would be the serial number and the IP address of the user, the MAC address could be useful too - as often if fraud has been committed the police will also check to see if the original MAC address of the system has connected via the ISP server logs.
I suppose the final piece of the puzzle would be that our logged data would somehow need to prove it was sent from that computer and not just generated ourselves in a database (eg we haven't just pretended its connected from their IP we've picked up from an e-mail address or something) i'm not sure if there would be any secure legal way to do this?
=============
Edit: Thinking of ways to make it legally binding in terms of presenting the information to the police or the courts I think the receiving server would need to be hosted and maintained by an independent third party whom you had a contract with and didn't allow you any write access to the information what so ever, all you could do is visit a website and pull up the data to pretend the evidence to the police.
(I seem to have been voted down because someone likes committing fraud?)
I have looked into similar solutions for macbooks in the past with little luck. One thing I have found however, if you have a web server, is to create a php page in an obscure hidden directory that will capture the ip address and send an email on access. From here you can create a page specific to each computer with MAC and serial number and set this as safari's homepage in a different tab. So every time someone attempts to access the internet you will be notified.
(This php page can be a simple blank page that just looks like a new tab, or can even display warnings such as "You are being tracked")
You could also create a python script on startup to send the information you are looking for such as ip, mac and serial number back, but again you would need another server setup as a listener.
And lastly, if possible, create a business account in icloud and use Find My Iphone/mac. This is probably the easiest if you can get away with it but unfortunately will not provide you with instant notifications.
-M
Ok, so I'm guessing the answer to this question is no (sensing privacy issues here), but let's check anyway.
Is it possible to read the username of the computer user (think SSO)? This could perhaps be read from the owner of the Firefox process.
I'm not really seeing anything about it in the SDK docs, and searching for username just gives me a bunch of password managers.
api-utils/environment provides access to the user's shell environment variables:
https://addons.mozilla.org/en-US/developers/docs/sdk/latest/packages/api-utils/environment.html
Here is some basic usage:
https://builder.addons.mozilla.org/package/156370/latest/
Depending on what info you need, you can run system commands with the priviledges of Firefox itself to get info from, say, the Windows registry. You should be aware that malicious use of code like this would not be allowed when your add-on is reviewed by the Mozilla Addons site.
Our organization has a number of Rails applications (websites) deployed to Heroku. A former devleoper has left the organization, and as good practice we want to change the Heroku API key associated with our account to prevent any modifications to the apps via the Heroku CLI.
I know that the Heroku API Key is used for Heroku CLI access (it gets cached in ~/.heroku/credentials), but not certain what else it is used for. Specifically, do 3rd-party add-ons in the Heroku platform (e.g. New Relic, Hoptoad/Airbrake, Sendgrid, etc) use this, and therefore require reconfiguring if the API Key is changed? Heroku throws up a fairly generic (and non-informative) error message when you click the "regenerate" button to change it.
Because the term "API Key" is so generic, want to be clear that this is the single API Key associated with each Heroku account accessible via "My Account" link. Image (and warning message) below.
Asked Heroku Support. This is what I got back:
"you can safely change your API key at any time, as we don't give it to any add-on providers. That alert is meant to remind you that if you added your API key to any application or service (ie for auto scaling, manually provision workers, etc) it will stop working until you provide it a new key."
I requested that they update the interface/documentation to make this more clear.
Also remove him from being a collaborator on all your projects so he can't push to them via git.
Out of curiousity (i'd never seen reset key in the admin) I tried it. When I then tried to use the CLI against one of my apps I was asked to reauthenticate - but i can't now get back in - doh! The same username/password works via the site. I'll ping support and report back,
UPDATE:
So it appears my problem is entirely due to the Heroku Accounts (https://github.com/ddollar/heroku-accounts) plugin that I'm using which stores a copy of the key in the ~/.heroku/accounts/ file. Support got me to remove the folder and it all works now - just something to be aware of if you reset your API key.
Is there a reliably way to determine the last user name to login to the system? I've looked at LsaEnumerateLogonSessions() and LsaGetLogonSessionData() however they require elevation on Vista and later (which I'm keen to avoid). WMI has the same problem (presumably it's just calling Lsa behind the scenes).
I've also looked at "SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnUser" in HKLM, but in testing that's unreliable and doesn't get updated.
I'm really only interested in console logons, rather than Fast User Switching or TS logons.
I've read various articles, but have yet to come up with a good solution.
You might be able to use Audit Logon events - this requires your service to have a user access right to see the Security log, but not be a full Administrator.
Eventid 528 indicates who logged on, you'd have to find the most recent instance of this.