Automattic / wp-calypso

The JavaScript and API powered WordPress.com
https://developer.wordpress.com
GNU General Public License v2.0
12.42k stars 1.99k forks source link

2FA and SMS Recovery - Update country code dropdown list to align with our Twilio account, and track what must be removed #78207

Open cuemarie opened 1 year ago

cuemarie commented 1 year ago

Quick summary

The list of Country Codes we offer for 2FA and SMS Recovery numbers is missing countries that are technically listed as supported internally. Examples: Papua New Guinea and Vanuatu.

Right now, there's no clear documentation of why certain countries are not on the list. To clean this up, we should add any country from Twilio's list to our dropdown, and then troubleshoot if/when a user reports an issue. This troubleshooting would generally fall under 2 categories:

  1. Their phone number is not accepted. (Often accompanied by an error message in Calypso)
    • This is unrelated to Twilio, as the phone number must be set up and accepted before we can attempt to send a code - so in these cases, we need to figure out why we are not accepting the number the user is providing.
  2. Their phone number is accepted, but they do not receive an SMS code.
    • Troubleshoot Twilio SMS code to determine why that failed. Steps for this are laid out here: p7DVsv-70Q-p2

While a phone number cannot be used, users use an Authentication App for 2FA instead, which is more secure.

Finally, if we determine that an SMS code failed for a reason that applies to the entire country code, then we should document that internally, and then remove the country code from the dropdown list of options.

Steps to reproduce

  1. Open https://wordpress.com/me/security/two-step or https://wordpress.com/me/security/account-recovery
  2. In the Country code dropdown, look for Papua New Guinea (+675) or Vanuatu (+678)

What you expected to happen

To be able to select that country code.

What actually happened

The country code is not in the list.

Markup 2023-06-14 at 12 08 52

However, both of those are included in our account, and neither is experiencing a country block or sanction that might explain exclusion:

Screen Shot 2023-06-14 at 14 02 04

Impact

Some (< 50%)

Available workarounds?

Yes, easy to implement

Platform (Simple and/or Atomic)

No response

Logs or notes

No response

cuemarie commented 1 year ago

@mreishus You worked on the code to add Vanuatu to the country code list back in Aug 2021, and then undid that when the user's number failed.

Would you have a moment to take a look at our discussion and thoughts above, and let us know who might be able to help with this?

mreishus commented 1 year ago

Sure. Back in 2021, I figured out how to add a country to the dropdown, but I couldn't find any method to test the new countries without directly asking a user to try receiving an SMS. As discussed in the slack conversation linked above, trying it again and checking Twilio for log messages might be a good step to move forward. As for someone to help out with this, I'm not sure - lots of things have moved around and I'm not certain how it works on dotcom anymore - @ebinnion might be able to help. My previous patch D66157-code can work as a template for adding a country to the dropdown.

cuemarie commented 1 year ago

Thanks so much @mreishus ! Appreciate the context and the template for next steps here! @ebinnion - any thoughts on priority of this and (if high enough) who might be a good team to ask to take a look?

ebinnion commented 1 year ago

Priority seems low to me since there is the 2fa app option. As far as team, @Automattic/bespin most likely.

cpapazoglou commented 1 year ago

Note: this requires access to twilio console

llvee commented 1 month ago

Hello, is your team interested in receiving some help with Twilio challenges?