Jump to content

Community Wishlist Survey 2019/Bots and gadgets/2FA available for all concerned editors

From Meta, a Wikimedia project coordination wiki

2FA available for all concerned editors

  • Problem: Available 2FA for all concerned editors. Everyone should have additional security on their account if they so desire. Why is it just limited to users with advanced permissions?
  • Who would benefit: Currently these user group's still vulnerable (Template editor,Mass message sender,Ipblock-exempt,Edit filter managers,Pending changes reviewer,rollbacker,autoreviewer,patroller). And all the concerned editors who dont like to be hacked.
  • Proposed solution: First, enable the "existing" 2 factor authentication for these user groups. Then make "Toolforge" enough capable so that it can provide "2fa" service for all editors.
  • More comments:
  • Phabricator tickets: phab:T166622
  • Proposer: Ahm masum (talk) 13:15, 8 November 2018 (UTC


@Ahm masum: Are you sure that phab:T100373 is the task about this proposal and not phab:T166622 instead? --AKlapper (WMF) (talk) 12:44, 9 November 2018 (UTC)[reply]

@AKlapper (WMF): OPP'S, MY BAD . THANKS.--Ahm masum (talk) 21:03, 9 November 2018 (UTC)[reply]
  • I support this wholeheartedly. I even duplicated it here before realizing this had been started. But, better security should be for everyone on Wiki, not just a selected few groups. 2FA should be available to everyone. DaneGeld (talk) 19:32, 10 November 2018 (UTC)[reply]
  • This needs better ways to revoke and reset credentials, and also being able to test the solution to see if the user fully understands how it work. No, it is not a real solution to email a reset link or to SMS additional codes, but it could be sufficient during a one-day or one-week training phase. — Jeblad 08:15, 18 November 2018 (UTC)[reply]
  • When my phone with authenticator on it died, I lost the ability to access my account. Will I agree all functionaires should use 2FA would need to check to see if there is resources to support all editors. Doc James (talk · contribs · email) 03:58, 20 November 2018 (UTC)[reply]
  • What Doc James said is the exact reason this has not happened yet: 2FA reset can currently only be done by developers, which does not scale. The problem is being worked on and 2FA for everyone who wants it is definitely the end goal. Until then, if you feel particularly unsafe, you can request membership in the oathauth-tester global group as a temporary workaround (example). --Tgr (talk) 22:30, 25 November 2018 (UTC)[reply]
Hi Tisza Gergő . I've seen your contribution at phabricator. Highly appreciate it. Please give me some info. What's the current status of phab:T195207  ; phab:T180896 & Special:DisableOATHForUser ? What's it actually mean? Does it mean we implemented a "Special page" but it wont work until some specific criteria is fulfilled (triage)? Am i missing something?
whats the most viable solution for these problems, you think?
How could we make & MAINTAIN a web interface in such a way so that the "reset process" can't take "wmf stuffs" valuable time?@Tgr:@AKlapper (WMF):@TheDJ: -- Ahm masum (talk) 10:53, 27 November 2018 (UTC)[reply]
@Ahm masum: the special page works but there is no limitation on its usage so only extremely highly trusted users can be given access to it (stewards, at best; maybe just staff). IMO that's not good enough for wide deployment and the page needs to be made less powerful (I'm not really involved in the decisionmaking about OATH though so that's just my personal opinion). But understandably people are more worried about making sure that the user who already can use 2FA actually do (since the hijacking of a privileged account is much much more problematic than the hijacking of a couple or even many non-privileged ones), so fixing the special page is lower priority. --Tgr (talk) 18:34, 27 November 2018 (UTC)[reply]
  • Anyone can already get 2FA access by asking on SRGP. We could make a separate page for requesting 2FA access if needed, maybe one that's simpler where you just add your username (or click a fancy js button that does it for you) and then stewards can assign based on that. The page could also include all the required reading and warning to save the scratch codes. – Ajraddatz (talk) 01:43, 26 November 2018 (UTC)[reply]
  • Just a heads up that SMS 2FA will not be implemented, it's been against best practices for years because it's very insecure [1], never mind having to deal with saving personal information such as peoples mobile phone numbers. Reedy (talk) 23:33, 6 December 2018 (UTC)[reply]
  • I understand , as a question of better security , "foundations" current focus is the "advanced user groups". Of course; the hijacking of a privileged account is much much more problematic than the hijacking of a couple or even many non-privileged ones. So here's some idea that i got (inspired from TheDJ) so that both parties could be happy & it won't cost WMF stuff's valuable time.

proposed solution for advanced user groups (just thoughts):

  1. In the "simple 2fa" make a option so that advance users can save their "Emergency tokens/scrath codes" in another location/device (it can be dropbox , lastpass or Keeper). As a additional security give them the ability to "make their own security question & answer's ". It could be stored in the same location. It'll only required when he'll make a "reset" request.
  2. Give them a web interface to request a reset . it could be a special page like "Special:ResetRequest" (SP:RR), similar to Special:DisableOATHForUser or it could be a "pop up" similar to those of fb/googles (as a part of mediawiki software). it could have a "dropdown menu" so that he can select his netive wiki & known admins. it could also have a "textbox area" where the user will write down something & try to prove his identity.
  3. Make that "interface/pop up" conditional , similar to those of fb/googles so that most of the hacker couldn't even make a request.

User needs to enter his name and password to initiate request.

    • Check if user knows his password
    • Check if verified email address and password were not changed recently (last 30 days?)
    • Check if user knows his correct "security answer".
    • Log if user was still logged in when making the request
    • Log if request was initiated from known device's,browser or ips.

After all these criteria is fulfilled , the request will be automatically posted in two different place's . one will be the village pump (his netiv wiki) & the other will be the META (Steward_requests/Permissions#Removal_of_access). only after the the local community confirmed his identity , the local admin will ping a steward & he'll made the decision (by executing Special:DisableOATHForUser).

Proposed solution for all the non privileged editors (just thoughts):

  1. Like all the other popular web entity's (Fb/G) , we could make a SMS based authentication as a "Optional Beta Features". Though it's not the most secure way but we must agree that it make the user feel more safer then before.
  2. Like all the other popular web entity's (Fb/G) , we could make a "Saved Device & Login Notification" feature as a "Optional Beta Features". when someone try to login from a unknown device user will get a login notification & SMS.
  3. We could make a cryptographic feature similar to Fb's "Encrypted notification emails" . as a "Optional Beta Features" it'll make the reset & notification email more secure even when the email is compromised. mediawiki could have a function to generate "OpenPGP Public Key" like the way "igolder" do & it could be saved in another location/device (it can be dropbox , lastpass or Keeper).

It's just some thought that i wanted to share. I have no expertise in these fields. please excuse my noviceness.THANKS --- Ahm masum (talk) 20:37, 29 November 2018 (UTC)[reply]

Most of the suggestions here have nothing to do with the actual wish as stated up top, but FWIW, SMS notification is T150902, and encrypted emails is T12453. --Tgr (talk) 07:04, 10 December 2018 (UTC)


You don't need to remember the numbers, your 2FA app will give you the numbers you need. --Terra  (talk) 15:32, 20 November 2018 (UTC)[reply]
No it doesn't require Ops. Reedy (talk) 23:31, 6 December 2018 (UTC)[reply]