Supabase
Locked out of Pro account — 2FA/TOTP requested after GitHub SSO that I never enabled (ticket SU-382915) #46339
Replies: 4 comments 2 replies
-
|
I'll add your ticket to the informal queue. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you, Gary — much appreciated 🙏 Ticket SU-382915. |
Beta Was this translation helpful? Give feedback.
-
|
Basically all that is up to support and depending if false 2fa or it is setup might even be different teams. But the informal queue is just your ticket # to get it out of the general free queue and flagged as account locked out issue and Pro. |
Beta Was this translation helpful? Give feedback.
-
|
Understood — thanks for explaining, Gary, and for flagging it as Pro +
account-locked-out. Just to keep routing clean: this is the false-2FA
case (I never enabled MFA; clean incognito + a second device both still
prompt, so it's a server-side factor — not a lost authenticator).
I've got ownership proof ready to go (invoice, org, project refs) the
moment support reaches out. Really appreciate the help 🙏
GaryAustin1 ***@***.***> 於 2026年5月25日週一 下午10:30寫道:
… Basically all that is up to support and depending if false 2fa or it is
setup might even be different teams. But the informal queue is just your
ticket # to get it out of the general free queue and flagged as account
locked out issue and Pro.
—
Reply to this email directly, view it on GitHub
<#46339 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/CBBDDV37S2VR5OO2HIHPWV344RKG7AVCNFSM6AAAAACZMJ3L3CVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTOMBVGEYTSMQ>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
|
Hi team,
Closing the loop on SU-382915 — access has been restored. The dashboard
prompt cleared on its own this morning (consistent with the recurring
server-side state issue Gary noted in #help-and-questions), so I was
able to sign in without intervention.
I've used the window to harden the account against a recurrence:
- Enabled proper MFA (TOTP) with the setup secret backed up and the
same factor registered on a second device, given that Supabase does
not issue recovery codes.
- Generated and securely stored a Personal Access Token for CLI /
Management API use, so future dashboard lockouts won't stall ops work.
- Invited a secondary admin under a different auth chain to the
organisation as a rescue path.
- Rotated the project database password and verified all three layers
(REST anon, REST secret, direct Postgres via pooler) are healthy on
the new credentials.
- Hardened the linked GitHub account (TOTP + offline-stored recovery
codes).
Feel free to close SU-382915. Happy to be a data point if the
engineering team wants more detail on the spurious-2FA pattern —
this ticket can serve as the reference.
Thank you to Gary for the informal-queue bump, and to the team for
following up.
Best,
Roy
Oil CBD ***@***.***> 於 2026年5月25日週一 下午10:32寫道:
… Understood — thanks for explaining, Gary, and for flagging it as Pro +
account-locked-out. Just to keep routing clean: this is the false-2FA
case (I never enabled MFA; clean incognito + a second device both still
prompt, so it's a server-side factor — not a lost authenticator).
I've got ownership proof ready to go (invoice, org, project refs) the
moment support reaches out. Really appreciate the help 🙏
GaryAustin1 ***@***.***> 於 2026年5月25日週一 下午10:30寫道:
> Basically all that is up to support and depending if false 2fa or it is
> setup might even be different teams. But the informal queue is just your
> ticket # to get it out of the general free queue and flagged as account
> locked out issue and Pro.
>
> —
> Reply to this email directly, view it on GitHub
> <#46339 (reply in thread)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/CBBDDV37S2VR5OO2HIHPWV344RKG7AVCNFSM6AAAAACZMJ3L3CVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTOMBVGEYTSMQ>
> .
> You are receiving this because you authored the thread.Message ID:
> ***@***.***>
>
|
Beta Was this translation helpful? Give feedback.
-
|
Hi everyone, I'm locked out of my GitHub account I lost my phone which had the GitHub Mobile app as my only 2FA method. Has anyone been in this situation and found a way to recover their account? Any help is appreciated. Thank you! |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Plan: Pro
Support ticket: SU-382915 (filed by email; auto-reply bounced it to the
Free queue and told me to use supabase.help — but I am locked out, see below)
Project ref: oirmzzmntjjaqyhvppnq
Important: I have NEVER enabled MFA on this account
This is the "spurious 2FA prompt after GitHub SSO" issue, not a lost-device
case. Signing in via GitHub SSO redirects me to a TOTP 2FA prompt, but:
A clean incognito + second device still demanding a code means the factor is
server-side state on the account, not local. @GaryAustin1 has noted in
other threads that "every few weeks someone claiming no 2fa hits this" — this
is the same recurring issue (see #27802 and #43679, and the recent Discord
thread "2FA lock-out - support not picking up my ticket").
The catch-22
The auto-reply says paid priority needs the supabase.help form, but that form
requires dashboard login — exactly what I'm locked out of. Email is the only
channel available to a locked-out user.
Request
Could a maintainer please add ticket SU-382915 to the informal escalation
queue so the team can verify my ownership and reset/remove the server-side
MFA factor on this Pro account? I can provide any proof required (billing
email, org name, project ref, GitHub username). Thank you.
Beta Was this translation helpful? Give feedback.
All reactions