Discrimination in accessing Jira tracker! #60
Comments
vessokolev
changed the title
|
Hello, eID is not necessary for accessing DSS JIRA tracker. Please use "Create an account" option, in order to proceed. Should you have any difficulties, please let use know, Best regards, |
|
The Jira resource is inaccessible using a user account with e-mail as ID and password as authentication method. I deliberately created 3 different accounts today just to be certain there is no some misconfiguration on my side. None of them can pass the webgate authentication portal using password authentication only. Note that most visitors of the tracker want to just check if some issues exist. Why do they need to pass through such heavy an authentication process for just be able to read about the latest issues? Never mind. Let me get back to the account issue:
The portal insists on authenticating me with methods that are not available to my type of account (none of the methods in the list shown below can be added to an account that cannot be associated with a valid eID - security key is there but it does specify type):
So why that list even appear if the account has no even single 2FA or other passwordless method configured? And this is very misleading. It is misleading because that list does not show the possibility to employ a FIDO2 token, which is available the accounts that is not lucky to get eID. Again: the list of methods for authentication does not show password as a method, even if one needs just to read about the issues. That same list specifies methods that are not available to that kind of account. One needs to edit his account and add a FIDO2 token. Only afterwards, the FIDO2 token can be selected from the list — it appears there along with all those methods that are not available to the account. So if one does not have eID he might just fall into the trap of scrolling misleading menus that show false positives and are there to prevent users from accessing Jira. So those who are lucky to have eID can go smoothly through the process. The rest of the humanity should rely on fighting misleading interfaces. That distracts people from contributing to the project. And it is really a discrimination - for those with eID everything is easy, but for the "outsiders" nothing is clear. Authentication platform is far from any perfection. For instance, if I want to log out from my profile:
I can do that and the system informs me I am out:
That is totally untrue. Until I clear the browser's cache, I can log back in by just click on "Log in again" and you are in without providing any credentials:
|
|
Tested this on mobile browsers — Samsung Internet, Google Chrome, Brave — all running on the latest Android 14 patched by Samsung. The EU login apps with associated ID, everything appears to work as perfect (I can successfully authenticate against EU Login). But if I decide to switch to my other account with no eID is associated and try accessing Jira, the attempts just fail. The browser behaves as expected — once I am redirected to the EU login portal, it wants me to have my Security key attached (that FIDO2 key I registered with the account and that works on PC). The next step is to provide the PIN for unlocking the FIDO2 device. No matter how many times the PIN is correctly typed, there is no access. The PIN provided is correct. Otherwise, after typing a wrong PIN for 5th consecutive times, the FIDO2 device will get locked (which is not the case). Snapshots are provided below: (1) asking for passkeys (no passkeys can be registered with EU Login protal):
(2) switching from passkey to hardware FIDO2 token by clicking "Use a different device" and plugging the token already registered with the EU Login username:
No matter how many times the PIN is typed, the EU portal just requests yet another login attempt. |
|
Dear @vessokolev, I'm from the eSignature team managing DSS and we apologize for the issues you had with EU Login but is the Identity Provider enforced by the European Commission on all their tools to protect the access and it does not discriminate in the access, eID is just one of many options. I'll send your comments to the team behind EU Login as it could help to improve the application. All your 2FA methods can be setup here https://webgate.ec.europa.eu/cas/userdata/myAccount.cgi we recommend "Manage my Security Keys, Trusted Platforms and Passkeys" and setup Passkeys if you don't want to install the EU Login Mobile Application. If you need help/support you can find the link on the Footer (https://trusted-digital-identity.europa.eu/eu-login-help/external-self-registered-account-faq_en) and read the FAQs and contact channels. |
Currently, the Jira tracker at:
https://ec.europa.eu/digital-building-blocks/tracker/projects/DSS/issues
can be accessed only by the possessors of eID issued by the following countries:
Austria, Belgium, Croatia, Czechia, Denmark, Estonia, France, Germany, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Slovakia, Slovenia, Spain, Sweden
The citizens of the following countries, who contribute with their taxes to funding the EU, are excluded from accessing Jira:
Greece, Bulgaria, Hungary, Romania, Finland, Ireland, Cyprus
since the authentication system running on:
https://webgate.ec.europa.eu
just because they have no eID. And no, the webgate does not validate any more "external" accounts and social network accounts. And I think you are perfectly aware of that fact.
The text was updated successfully, but these errors were encountered: