Community Wishlist Survey 2019/Bots and gadgets/2FA available for all concerned editors

From Meta, a Wikimedia project coordination wiki
Jump to navigation Jump to search
Random proposal ►

 ◄ Back to Bots and gadgets  The survey has concluded. Here are the results!


  • Problem: Available 2FA for all concerned editors. Everyone should have additional security on their account if they so desire. Why is it just limited to users with advanced permissions?
    TOTP login.png
  • Who would benefit: Currently these user group's still vulnerable (Template editor,Mass message sender,Ipblock-exempt,Edit filter managers,Pending changes reviewer,rollbacker,autoreviewer,patroller). And all the concerned editors who dont like to be hacked.
  • Proposed solution: First, enable the "existing" 2 factor authentication for these user groups. Then make "Toolforge" enough capable so that it can provide "2fa" service for all editors.
  • More comments:
  • Phabricator tickets: phab:T166622
  • Proposer: Ahm masum (talk) 13:15, 8 November 2018 (UTC

Discussion[edit]

@Ahm masum: Are you sure that phab:T100373 is the task about this proposal and not phab:T166622 instead? --AKlapper (WMF) (talk) 12:44, 9 November 2018 (UTC)

@AKlapper (WMF): OPP'S, MY BAD . THANKS.--Ahm masum (talk) 21:03, 9 November 2018 (UTC)
  • I support this wholeheartedly. I even duplicated it here before realizing this had been started. But, better security should be for everyone on Wiki, not just a selected few groups. 2FA should be available to everyone. DaneGeld (talk) 19:32, 10 November 2018 (UTC)
  • This needs better ways to revoke and reset credentials, and also being able to test the solution to see if the user fully understands how it work. No, it is not a real solution to email a reset link or to SMS additional codes, but it could be sufficient during a one-day or one-week training phase. — Jeblad 08:15, 18 November 2018 (UTC)
  • When my phone with authenticator on it died, I lost the ability to access my account. Will I agree all functionaires should use 2FA would need to check to see if there is resources to support all editors. Doc James (talk · contribs · email) 03:58, 20 November 2018 (UTC)
  • What Doc James said is the exact reason this has not happened yet: 2FA reset can currently only be done by developers, which does not scale. The problem is being worked on and 2FA for everyone who wants it is definitely the end goal. Until then, if you feel particularly unsafe, you can request membership in the oathauth-tester global group as a temporary workaround (example). --Tgr (talk) 22:30, 25 November 2018 (UTC)
Hi Tisza Gergő . I've seen your contribution at phabricator. Highly appreciate it. Please give me some info. What's the current status of phab:T195207 ; phab:T180896 & Special:DisableOATHForUser ? What's it actually mean? Does it mean we implemented a "Special page" but it wont work until some specific criteria is fulfilled (triage)? Am i missing something?
whats the most viable solution for these problems, you think?
How could we make & MAINTAIN a web interface in such a way so that the "reset process" can't take "wmf stuffs" valuable time?@Tgr:@AKlapper (WMF):@TheDJ: -- Ahm masum (talk) 10:53, 27 November 2018 (UTC)
@Ahm masum: the special page works but there is no limitation on its usage so only extremely highly trusted users can be given access to it (stewards, at best; maybe just staff). IMO that's not good enough for wide deployment and the page needs to be made less powerful (I'm not really involved in the decisionmaking about OATH though so that's just my personal opinion). But understandably people are more worried about making sure that the user who already can use 2FA actually do (since the hijacking of a privileged account is much much more problematic than the hijacking of a couple or even many non-privileged ones), so fixing the special page is lower priority. --Tgr (talk) 18:34, 27 November 2018 (UTC)
  • Anyone can already get 2FA access by asking on SRGP. We could make a separate page for requesting 2FA access if needed, maybe one that's simpler where you just add your username (or click a fancy js button that does it for you) and then stewards can assign based on that. The page could also include all the required reading and warning to save the scratch codes. – Ajraddatz (talk) 01:43, 26 November 2018 (UTC)
  • Just a heads up that SMS 2FA will not be implemented, it's been against best practices for years because it's very insecure [1], never mind having to deal with saving personal information such as peoples mobile phone numbers. Reedy (talk) 23:33, 6 December 2018 (UTC)
  • I understand , as a question of better security , "foundations" current focus is the "advanced user groups". Of course; the hijacking of a privileged account is much much more problematic than the hijacking of a couple or even many non-privileged ones. So here's some idea that i got (inspired from TheDJ) so that both parties could be happy & it won't cost WMF stuff's valuable time.

proposed solution for advanced user groups (just thoughts):

  1. In the "simple 2fa" make a option so that advance users can save their "Emergency tokens/scrath codes" in another location/device (it can be dropbox , lastpass or Keeper). As a additional security give them the ability to "make their own security question & answer's ". It could be stored in the same location. It'll only required when he'll make a "reset" request.
  2. Give them a web interface to request a reset . it could be a special page like "Special:ResetRequest" (SP:RR), similar to Special:DisableOATHForUser or it could be a "pop up" similar to those of fb/googles (as a part of mediawiki software). it could have a "dropdown menu" so that he can select his netive wiki & known admins. it could also have a "textbox area" where the user will write down something & try to prove his identity.
  3. Make that "interface/pop up" conditional , similar to those of fb/googles so that most of the hacker couldn't even make a request.

User needs to enter his name and password to initiate request.

    • Check if user knows his password
    • Check if verified email address and password were not changed recently (last 30 days?)
    • Check if user knows his correct "security answer".
    • Log if user was still logged in when making the request
    • Log if request was initiated from known device's,browser or ips.

After all these criteria is fulfilled , the request will be automatically posted in two different place's . one will be the village pump (his netiv wiki) & the other will be the META (Steward_requests/Permissions#Removal_of_access). only after the the local community confirmed his identity , the local admin will ping a steward & he'll made the decision (by executing Special:DisableOATHForUser).

Proposed solution for all the non privileged editors (just thoughts):

  1. Like all the other popular web entity's (Fb/G) , we could make a SMS based authentication as a "Optional Beta Features". Though it's not the most secure way but we must agree that it make the user feel more safer then before.
  2. Like all the other popular web entity's (Fb/G) , we could make a "Saved Device & Login Notification" feature as a "Optional Beta Features". when someone try to login from a unknown device user will get a login notification & SMS.
  3. We could make a cryptographic feature similar to Fb's "Encrypted notification emails" . as a "Optional Beta Features" it'll make the reset & notification email more secure even when the email is compromised. mediawiki could have a function to generate "OpenPGP Public Key" like the way "igolder" do & it could be saved in another location/device (it can be dropbox , lastpass or Keeper).

It's just some thought that i wanted to share. I have no expertise in these fields. please excuse my noviceness.THANKS --- Ahm masum (talk) 20:37, 29 November 2018 (UTC)

Most of the suggestions here have nothing to do with the actual wish as stated up top, but FWIW, SMS notification is T150902, and encrypted emails is T12453. --Tgr (talk) 07:04, 10 December 2018 (UTC)

Voting[edit]

  • Support Support More security for more users is always a good option. OverlordOdin (talk) 18:25, 16 November 2018 (UTC)
  • Support Support SEMMENDINGER (talk) 19:15, 16 November 2018 (UTC)
  • Support Support James Martindale (talk) 19:25, 16 November 2018 (UTC)
  • Support Support StudiesWorld (talk) 19:36, 16 November 2018 (UTC)
  • Support Support Tom Ja (talk) 19:47, 16 November 2018 (UTC)
  • Support Support Wostr (talk) 19:55, 16 November 2018 (UTC)
  • Support Support XXBlackburnXx (talk) 19:58, 16 November 2018 (UTC)
  • Support Support George Ho (talk) 20:30, 16 November 2018 (UTC)
  • Support Support Jeroen N (talk) 23:37, 16 November 2018 (UTC)
  • Support Support Definitely appropriate and necessary. Thanks for this suggestion. Super Wang on zhwiki (Share your opinions) 23:58, 16 November 2018 (UTC)
  • Support Support Meisam (talk) 00:04, 17 November 2018 (UTC)
  • Support Support Cohaf (talk) 00:17, 17 November 2018 (UTC)
  • Support Support — JJMC89(T·C) 00:21, 17 November 2018 (UTC)
  • Support Support The Grid (talk) 01:57, 17 November 2018 (UTC)
  • Support Support Rschen7754 02:28, 17 November 2018 (UTC)
  • Support Support Ellery (talk) 02:40, 17 November 2018 (UTC)
  • Support Support Liuxinyu970226 (talk) 03:42, 17 November 2018 (UTC)
  • Support Support Enterprisey (talk) 04:06, 17 November 2018 (UTC)
  • Support Support Hiàn (talk) 04:43, 17 November 2018 (UTC)
  • Support Support 4nn1l2 (talk) 05:49, 17 November 2018 (UTC)
  • Support Support Fabiorahamim (talk) 07:00, 17 November 2018 (UTC)
  • Support Support Kpgjhpjm (talk) 09:00, 17 November 2018 (UTC)
  • Support Support ديفيد عادل وهبة خليل 2 (talk) 09:18, 17 November 2018 (UTC)
  • Support Support Afernand74 (talk) 09:36, 17 November 2018 (UTC)
  • Support Support 水瀬悠志 (talk) 09:38, 17 November 2018 (UTC)
  • Support Support ZellmerLP (talk) 09:59, 17 November 2018 (UTC)
  • Oppose Oppose I think that as it is 2FA is not really robust enough to be allowed for everybody, we still have issues with people getting locked out of their accounts. That and I am generally wary of security measures that require a lot of instructions to follow. Jo-Jo Eumerus (talk, contributions) 10:07, 17 November 2018 (UTC)
  • Support Support Like tears in rain (talk) 11:14, 17 November 2018 (UTC)
  • Support Support Martin Urbanec (talk) 13:51, 17 November 2018 (UTC)
  • Support Support Sakretsu (talk) 14:28, 17 November 2018 (UTC)
  • Symbol oppose vote oversat.svg Strong oppose Per Jo-Jo Eumerus, primarily. 2FA over here is hands-down the worst of all I've been used and an aggressive pushing of 2FA (though optional) will lead to more registrations and consequently, more lock-downs. If anybody has a profound interest, he/she can easily request at Steward's Noticeboard (over Meta) to install 2FA on his/her account.Winged Blades of Godric (talk) 15:42, 17 November 2018 (UTC)
  • Support Support Blue Rasberry (talk) 15:47, 17 November 2018 (UTC)
  • Support Support Micru (talk) 16:04, 17 November 2018 (UTC)
  • Support Support Cabayi (talk) 17:24, 17 November 2018 (UTC)
  • Support Support Amir (talk) 19:01, 17 November 2018 (UTC)
  • Support Support JAn Dudík (talk) 20:04, 17 November 2018 (UTC)
  • Support Support Yamaha5 (talk) 20:34, 17 November 2018 (UTC)
  • Support Support MehdiTalk 20:36, 17 November 2018 (UTC)
  • Support Support Fatemi 20:41, 17 November 2018 (UTC)
  • Support Support This would be move towards securing accounts of more and more Wikipedians. SshibumXZ (talk) 21:05, 17 November 2018 (UTC)
  • Support SupportAmmarpad (talk) 21:16, 17 November 2018 (UTC)
  • Support Support Imzadi 1979  05:10, 18 November 2018 (UTC)
  • Support Support Temp3600 (talk) 05:41, 18 November 2018 (UTC)
  • Support Support Poya-P (talk) 06:14, 18 November 2018 (UTC)
  • Support Support — Newslinger talk 07:42, 18 November 2018 (UTC)
  • Support Support فرهنگ2016 (talk) 10:40, 18 November 2018 (UTC)
  • Support Support Sunfyre (talk) 13:56, 18 November 2018 (UTC)
  • Support Support stwalkerster (talk) 17:14, 18 November 2018 (UTC)
  • Support Support Pepe piton (talk) 17:48, 18 November 2018 (UTC)
  • Support Support Hyperik (talk) 20:26, 18 November 2018 (UTC)
  • Support Support Stryn (talk) 21:51, 18 November 2018 (UTC)
  • Support Support Better security should be a priority for all of us, not just those with specific tasks to undertake or roles to fulfill. Every user should be able to choose to use 2FA DaneGeld (talk) 22:47, 18 November 2018 (UTC)
  • Support Support Titore (talk) 02:20, 19 November 2018 (UTC)
  • Oppose Oppose My ability to edit wikipedia should not depend on my ability to remember an arbitrary string of numbersFR30799386 (talk) 07:10, 19 November 2018 (UTC)
You don't need to remember the numbers, your 2FA app will give you the numbers you need. --Terra  (talk) 15:32, 20 November 2018 (UTC)
  • Support Support ·addshore· talk to me! 10:00, 19 November 2018 (UTC)
  • Support Support Trizek from FR 10:23, 19 November 2018 (UTC)
  • Support Support but improve UI/documentation and work on phab:T180896TheDJ (talkcontribs) 10:38, 19 November 2018 (UTC)
  • Support Support Muntashir.islam (talk) 11:33, 19 November 2018 (UTC)
  • Support Support - tucoxn\talk 14:17, 19 November 2018 (UTC)
  • Support Support Courcelles 15:06, 19 November 2018 (UTC)
  • Support Support Sadads (talk) 17:52, 19 November 2018 (UTC)
  • Support Support StringRay (talk) 22:34, 19 November 2018 (UTC)
  • Support Support Jamesmcmahon0 (talk) 10:29, 20 November 2018 (UTC)
  • Support SupportEjs-80 11:52, 20 November 2018 (UTC)
  • Support Support Thibaut120094 (talk) 14:24, 20 November 2018 (UTC)
  • Symbol oppose vote oversat.svg Strong oppose No easy way to get back into your account if you lose access. --Terra  (talk) 15:48, 20 November 2018 (UTC)
  • Support Support Lofhi (talk) 17:37, 20 November 2018 (UTC)
  • Support Support Mounir Touzri (talk) 18:44, 20 November 2018 (UTC)
  • Support Support CAPTAIN RAJU(T) 22:31, 20 November 2018 (UTC)
  • Support Support Novak Watchmen (talk) 00:00, 21 November 2018 (UTC)
  • Support Support Vulphere 05:16, 21 November 2018 (UTC)
  • Support Support Laboramus (talk) 07:25, 21 November 2018 (UTC)
  • Support Support BMK (talk) 10:59, 21 November 2018 (UTC)
  • Support Support Arian Talk 18:41, 21 November 2018 (UTC)
  • Support Support Just make sure it's opt-in. Topper13009 (talk) 20:06, 21 November 2018 (UTC)
  • Symbol oppose vote oversat.svg Strong oppose per TerraCodes. Nihlus 22:16, 21 November 2018 (UTC)
  • Support Support Krinkle (talk) 01:45, 22 November 2018 (UTC)
  • Support Support CosmosAway (talk) 14:52, 22 November 2018 (UTC)
  • Support Support Sebari – aka Srittau (talk) 19:48, 22 November 2018 (UTC)
  • Support Support More security always is good SalmanZ (talk) 21:09, 22 November 2018 (UTC)
  • Support Support Bilijin (talk) 06:52, 23 November 2018 (UTC)
  • Support Support AnuJuno (talk) 06:54, 23 November 2018 (UTC)
  • Support Support MisterSynergy (talk) 10:22, 23 November 2018 (UTC)
  • Support Support ~Cybularny Speak? 15:56, 23 November 2018 (UTC)
  • Support Support Mbrickn (talk) 21:17, 23 November 2018 (UTC)
  • Support Support Sannita - not just another it.wiki sysop 00:28, 24 November 2018 (UTC)
  • Support Support Pf1127 (talk) 06:41, 24 November 2018 (UTC)
  • Support Support Hmxhmx 10:01, 24 November 2018 (UTC)
  • Support Support Gce (talk) 18:53, 24 November 2018 (UTC)
  • Support Support Tgr (talk) 22:30, 25 November 2018 (UTC)
  • Support Support — AfroThundr (u · t · c) 01:45, 26 November 2018 (UTC)
  • Oppose Oppose Don't like the idea of pushing 2FA. Dreamy Jazz (talk) 08:51, 26 November 2018 (UTC)
  • Oppose Oppose per Jo-Jo Eumerus and TerraCodes. NinjaStrikers «» 11:40, 26 November 2018 (UTC)
  • Support Support Miles.world (talk) 23:18, 26 November 2018 (UTC)
  • Support Support, noting the concerns by opposers. 2FA needs a sane design before being rolled out to the masses. --Izno (talk) 00:42, 27 November 2018 (UTC)
  • Support Support Amir E. Aharoni (talk) 12:32, 27 November 2018 (UTC)
  • Support Support As long as it's optional ... Daniel Case (talk) 17:53, 27 November 2018 (UTC)
  • Oppose Oppose Ciao • Bestoernesto 01:04, 28 November 2018 (UTC)
  • Support Support Yes, please add optional 2FA to help keep accounts from being compromised. Culix (talk) 04:01, 28 November 2018 (UTC)
  • Oppose Oppose While this is a great idea in a security aspect, unless they make a better system to reset 2FA if the scratch codes are lost, I say dont do this. As of right now (as far as I recall) the Wikimedia operations team has to reset 2FA if scratch codes are lost therefore giving anyone access to 2FA could lead to a huge backlog of requests to reset 2FA Zppix (talk) 22:18, 28 November 2018 (UTC)
No it doesn't require Ops. Reedy (talk) 23:31, 6 December 2018 (UTC)