How to lose access of our your servers on DigitalOcean

[migueltarga]

I have an account on DigitalOcean for long time and I was using Github Login as the method of authentication.

For the past 7 years I had my company email as my primary email, and my personal email as secondary.

August 18, 2022 1:56:22 PM PDT I removed my primary email account because we had a merge in our company, and now we use different emails.

Now I can't get access to my DigitalOcean account, because for some reason they don't use the GitHub identifier but the email address. ( Also I lost access of my company email )

Im trying to get access to my account for the last 20 hours, they requested a picture of my ID, and of me holding my ID.

They have everything to change the primary email to the one I requested, but the support team don't understand the problem...

So Be careful using GitHub as your DigitalOcean authentication method!

Someone had a similar issue in 2020: https://twitter.com/salzian_dev/status/1293975538990813187

[spicybright]

At least you've learned a good lesson here.

If you want ownership of an account, you need ownership of the email you use. And do a hard separation between personal and work services.

Also, it sucks the hoops you're going through, but it's good they resist common social engineering tactics like they are. Good on them.

Maybe suck up to a sys admin to re-instate the email for a day if support goes nowhere.

[synthmeat]

Also, if they're not keeping old domain (thus being able to create any (new or old) email account), they're doing a really bad job at sysadmining.

[soneil]

This doesn't really solve the root cause. It could just as easily be caused selling off a business unit where this isn't an option.

[migueltarga]

They did everything to confirm my Identity and prevent social engineering tactics which is exactly what I expected from the company.

But I feel like they don't have an internal process to solve this issue, I haven't anything back for the last 8 hours..

[edf13]

To be fair - for a standard account, not hearing back for 8 hours wouldn’t concern me too much

[migueltarga]

For sure the SLO for standard account is 24hrs.

[reidjs]

Losing your email isn't DigitalOcean's fault and the fact that they are actively working on getting you access back should prevent you from naming and shaming them.

[trebbble]

I do think it's at least surprising that changing your email address on GitHub would cause you to lose access to places where you used GitHub 3rd party auth to login. If those schemes don't centralize management of those kinds of details to the auth provider, what's the point of them?

[migueltarga]

I love Digital Ocean, don't get me wrong. Im just sharing the Bad experience with the "Social Authentication" flow and how long it is taking to solve a simple problem.

This also a heads up for anyone using GitHub as the authentication method.

[spicybright]

It's definitely not a simple problem though. Anyone can claim they own your account. And it would be bone-headed to make the re-verification process easy.

[migueltarga]

Sure, but I did not change my Authentication Method. Im still using GitHub login. With the same Github ID...

[jbverschoor]

And now the company admin, or if the domain for sale again, can take over his account

[alexklarjr]

If he is using github account, all he need is to authenticate with it. He is not obliged to keep his email, phone, home address and authenticator ready because system deciding he is sus every 30 days.

[synthmeat]

Yeah. I'm not 100% even sure what is this "GitHub" part of, but I'd be thankful anyone is helping me in any way to recover my account.

[gabe_monroy]

Gabe with DO here. That's a bummer. I hope our support team is able to get your access restored. If you get stuck feel free email me: gabe@

[migueltarga]

Thank you Gabe, I sent you an email.

[gabe_monroy]

Received. I confirmed the team is working the issue. Stay tuned.

[migueltarga]

Thank you very much for helping on this, Much Appreciated!

I would love to see improvements on the "Social Authentication" process, making the third party ID as primary identifier, instead of the email.

[gabe_monroy]

I hear you. I’ll talk to the team about how we can do better.

[earleybird]

I work in the public service sector. When we're architecting OAuth2/OIDC integrations we specify using a unique identifier like a guid or some otherwise immutable id as the federation id. This way other attributes that may be ephemeral can change at will. It's not always easy determining this but it's worth it.

[RadixDLT]

you need to authenticate your new email address first before you delete the old one.

https://docs.digitalocean.com/products/accounts/settings/

[stop50]

Why did you have an account of your workplace as the first address in the first place. i never trust my employer with more personal data than nesserary. He is in control of the address and can do what he wants with it.

[migueltarga]

Not possible to gain access with 2 factor authentication. I used as my primary email to receive email notifications

[spicybright]

That's extremely weird you can't use the same address for notifications and 2FA

But if that's the case, you shouldn't tie personal accounts to work stuff like this in the first place. Just make a second email address.

Sure it's convenient but then you dig yourself holes like this.

[pablohack]

If you are using Github authentication, why does you email even matter? Thats bad...

[jbverschoor]

simply don't use sso.. it's full of these kinds of edge cases. Thankfully we don't "login with facebook" anymore either

[kodah]

This happened to me with Tailscale, but because my GitHub name changed. It was quite confusing at first.

[codegeek]

I don't understand the issue. Can someone ELI5 ? OP signed up with DO using Github login but used a different primary email account on DO which they have no longer access to and now DO will not let them login with Github ?

[migueltarga]

Just had a different primary email on my Github account, when I signed up for DO. By changing my primary email account on Github, I lost access to DO.

[gchamonlive]

Isn't it safest to use a single password manager to rule them all, and a separate MFA application?

I mean, sure it would prevent this specific scenario. But I mean, in general, when is it safer to use github or another social login?

[alexklarjr]

That is why I cancelled my do account snd switched to normal vps hosting. They give you login and password and never enforce broken 2fa and sso schemes that lead you to lose access and to give phone, photo of id, enter email pins when your ip changed and other “very secure” crap.