Community Wishlist Survey 2017/Admins and stewards/U2F support for 2FA
U2F support for 2FA
- Problem: Admins and people with higher rights constantly are under attack by hackers trying to guess or steal their passwords. Having two-factor authentication (2FA) protects against this, but it is vulnerable to phishing and hacking of mobile phones, and confusing for some non-technical users.
- Who would benefit: Admins/Checkusers/People who have access to sensitive data and all other people whose data they have access to
- Proposed solution: Enable Universal 2nd Factor (U2F) support for Wikimedia projects. U2F is a more modern 2FA mechanism with several advantages:
- it's self-contained, no need to install any software - just plug it into an USB slot / touch it to your phone and it works;
- it is hardware-based, thus unhackable (the secret key never leaves the device and there is no way to tamper with the software);
- keys are bound to the website domain so it is immune to phishing.
- More comments:
- Phabricator tickets: phab:T100373
- Proposer: Amir (talk) 12:01, 18 November 2017 (UTC)
- Translations: none yet
Discussion
[edit]I expanded the description; feel free to change or revert. --Tgr (talk) 08:07, 20 November 2017 (UTC)
One of the biggest downsides to U2F compared to 2FA is the need for dedicated hardware. Most people have mobile phones to install authenticators on, whereas people may not have the hardware required for this. Some staff use YubiKeys. Is specialised hardware required, or could one theoretically use a generic USB stick? I'm wondering if this wish could be coupled with an initiative to distribute the relevant hardware to people. If preconfigured devices were brought by staff to public Wikimedia events (hackathons, Wikimania, etc.) then the only added costs would be staff time to set up the devices and the cost of small-capacity USB sticks. (This is just an idle thought I had, I have no control over any budget to do this.) --Dan Garry, Wikimedia Foundation (talk) 15:09, 20 November 2017 (UTC)
- @Deskana (WMF): Custom hardware is required. Part of the security guarantee of U2F is that your secret keys never leave the device so all the encryption, certificate verification etc. has to be done by the firmware. Cheap options are around $15 (U2F Zero is $9 but very barebones). High-end ones are $50-ish. I don't think they require any setup typically (Yubikey definitely doesn't; it supports a bunch of other authentication methods, like the OTP-based one used for WMF VPN access, and that requires some configuration, but the U2F functionality works out of the box). --Tgr (talk) 05:47, 28 November 2017 (UTC)
- I believe this proposal should clarify that U2F support is going to supplement, not replace the currently existing 2FA mechanism (which may as well be made more user-friendly, but that's the topic of Make 2FA easier to use). It is my impression that people like L736E vote against the proposal based on the (I believe) wrong assumption that U2F will be the only supported 2FA method. Amir, Tgr?
— Luchesar • T/C 17:19, 1 December 2017 (UTC)- That's correct. What this proposal wants is to make it add the support, people can choose between these two options. Amir (talk) 23:50, 1 December 2017 (UTC)
Voting
[edit]- Support Tgr (talk) 05:48, 28 November 2017 (UTC)
- Oppose Many good password managers are available for free, like PasswordSafe or LastPass, and they can create unlimited number of passwords of any length. For instance, I connect to Wikimedia projects with a 24-character password, composed of lowercase letters, uppercase letters, numbers, and non-alphanumeric characters. Don't ask me what it is, only my browsers and my password manager do. If you try to log in to my account, you will need to solve CAPTCHAs after some failed attempts. LoginNotify runs on all projects. You can only read Wikimedia projects using w:HSTS and w:HTTPS. All exchanges are done using "PKCS #1 SHA-256 With RSA Encryption". If you ever have a chance to read on w:Kevin Mitnick and social engineering, you will learn that the weak point in security is the human, very seldom the machine. For these reasons, we don't need further connection protection, but users must use a good password manager. U2F cannot correct erratic or weak human behavior. Cantons-de-l'Est (talk) 12:37, 28 November 2017 (UTC)
- (One of) the points of U2F is that your credentials are tied to a specific origin (domain). Thus it intends to reduce social engineering attacks like you describe above, as the human is no longer responsible for determining if the site in question is actually Wikipedia or not. Thus I don't think this oppose makes sense. BWolff (WMF) (talk) 22:07, 28 November 2017 (UTC)
- Oppose per above, SHA-256 is too long for external users who hates English to understand. --Liuxinyu970226 (talk) 12:43, 28 November 2017 (UTC)
- This definitely doesn't make sense, as users of U2F don't have to know anything about SHA-256 to use it. In the same way visiting this page doesn't require you to understand SHA-256 despite the fact your web browser has to in order to connect to Wikipedia (depending on cipher selection for TLS). BWolff (WMF) (talk) 22:07, 28 November 2017 (UTC)
- Support Combining something you know with something you have is a very well established security practice that stops a large number of attacks. It is true that users must still choose strong passwords and keep them safe, and that they should be encouraged to use password managers. But saying that 2FA is redundant once the users are doing the above is at best a gross underestimation of the security problems involved if not a sign of incompetence. I'm sorry if I sound rude, but this is exactly an example of how the human link is indeed the weakest one: when humans rely too much on certain technology, be it HTTPS, password strength or something else. This is also connected with one more reason why 2FA is very much desirable— the multi-layer approach to security, which is another basic security principle. HTTPS, HSTS and everything else (including U2F, for that matter) can and will fail one day. But when you have multiple layers of protection, the probability that all of them will fail at the same time is much lower. Therefore, I strongly endorse the U2F support, although I'm not sure why there's a separate suggestion, as U2F is already mentioned in Make 2FA easier to use. — Luchesar • T/C 20:48, 28 November 2017 (UTC)
- Support Thomas Obermair 4 (talk) 21:35, 28 November 2017 (UTC)
- Support 𝔊 (Gradzeichen Diſk✉Talk) 06:45, 29 November 2017 (UTC)
- Support I'd love to have this as an option for those who'd want to use it. —TheDJ (talk • contribs) 10:01, 29 November 2017 (UTC)
- Oppose if it's meant as a forced choice; neutral if an option. --g (talk) 00:16, 30 November 2017 (UTC)
- 2FA is an option as of now and I don't think it will be forced anyway for now. — regards, Revi 06:15, 30 November 2017 (UTC)
- Support Yes. Please. That oppose reasons doesn't make sense. That password manager oppose doesn't make sense as per BWolff. — regards, Revi 06:15, 30 November 2017 (UTC)
- Oppose Who will provide/handle/maintain the list of compatible hardware devices? Who will grant that all admins in all countries may have easy access to buy those devices (think about commercial restrictions, restrictive local laws on security devices and so on)? Did you consider that a "cheap 15US$" may sound not so "cheap" in many countries of the world (in Bangladesh, the average wage is 17US$ per month, so your "cheap 15US$" would mean "one month of salary" for them)? "Forcing" this device may discourage users in such conditions to candidate for adminships or other "sensitive" roles. And yes, I see that this goes "against" the mantra "we need more admin, we need to encourage admin candidatures": it introduces a physical and economical barreer: unnecessary, not in the spirit of a "Free Encyclopedia". Especially considering that 2FA is already there, for free, for all. --L736Etell me 07:48, 30 November 2017 (UTC)
- Support Winston Spencer (talk) 13:11, 30 November 2017 (UTC)
- Support WQL (talk) 09:51, 1 December 2017 (UTC)
- Support Eug (talk) 11:58, 1 December 2017 (UTC)
- Support Jacob Robertson (talk) 13:58, 1 December 2017 (UTC)
- Support Terra ❤ (talk) 06:39, 2 December 2017 (UTC)
- Support Emir of Wikipedia (talk) 15:41, 2 December 2017 (UTC)
- Support, and those opposes based on a misunderstanding that U2F would be a forced replacement for the existing 2FA need to be disregarded. Boing! said Zebedee (talk) 21:32, 2 December 2017 (UTC)
- Support This definitely should be as an alternative to OATH for those who don't have a hardware device, but U2F should definitely be an option for those of us who do. [stwalkerster|talk] 22:42, 2 December 2017 (UTC)
- Support I don't see why the option should not exist: it's only if we were coercing people to implement this instead of 2FA that we'd have a problem, and that seems to be no part of the proposal Vanamonde93 (talk) 06:15, 3 December 2017 (UTC)
- Support Tiputini (talk) 07:13, 4 December 2017 (UTC)
- Support with low priority. I have no problem adding this as an option, but I have doubts about the number of users who would adopt this as a solution. Aervanath (talk) 00:26, 5 December 2017 (UTC)
- Support —Alvaro Molina (✉ - ✔) 01:35, 5 December 2017 (UTC)
- Support as an alternative method. the wub "?!" 00:30, 6 December 2017 (UTC)
- Support with low priority.. Yohannvt (talk) 11:56, 6 December 2017 (UTC)
- Support Zppix (talk) 14:19, 7 December 2017 (UTC)
- Support Ahm masum (talk) 21:13, 7 December 2017 (UTC)
- Oppose, probably too costly for very limited impact. I think quite few users would prefer U2F over 2FA, and on the other side having a U2F that would fit all users would be rather costly to develop. U2F imposes very significant limits (e.g. it relies on only two browsers, it might not be available in certain countries etc.) which probably make investment in it not that cost-efficient — NickK (talk) 20:32, 8 December 2017 (UTC)
- Support -- as optional of course NaBUru38 (talk) 22:34, 9 December 2017 (UTC)