Help talk:Two-factor authentication/Archives/2016

From Meta, a Wikimedia project coordination wiki

mark version for translation

@Xaosflux: Can you please mark the last version for translation? Thanks. --Bjarlin (talk) 20:11, 14 November 2016 (UTC)

@Bjarlin: Donexaosflux Talk 21:06, 14 November 2016 (UTC)
Thanks. :-) Now there's another version to mark. --Bjarlin (talk) 17:42, 15 November 2016 (UTC)
Done as well. —MarcoAurelio 13:44, 19 November 2016 (UTC)
This section was archived on a request by: —MarcoAurelio 13:44, 19 November 2016 (UTC)

Guides for script/bot users

We could do with simple guides (with screen shots) for users relying on API scripts or pywikibot which will need 2FA added. There is specific help for pywikibot at mw:Manual:Pywikibot/OAuth, but it presumes a lot of background knowledge, so could do with practical examples and the workflow explained with screenshots. -- (talk) 23:45, 12 November 2016 (UTC)

We should probably just link to a specific help page on that, and not put the directions here. I did spell out the basics of BotPasswords here. — xaosflux Talk 00:54, 13 November 2016 (UTC)
@Xaosflux: I'm not convinced that BotPasswords works with Pywikibot's login.py from the command line. I can get the password to fail, but when the correct BotPassword gets passed, login.py drops out with "KeyError: u'cookieprefix'". Anyone experienced this before? If it's a known bug I'd rather not invest time investigating.
... Good news everyone, after a git pull, this now works, though setting up a password file seems necessary. I guess it must have been a bug with login.py that's been fixed recently.
... Following with bad news. Login.py does login in, however scripts do not inherit the login for some reason and think that the user is "None". It looks like the latest Pywikibot core still has some issue with handling BotPasswords correctly. -- (talk) 18:35, 13 November 2016 (UTC)
Now written up at Phab:T150645. -- (talk) 10:20, 14 November 2016 (UTC)

30-second codes

Are the codes that last 30 seconds distinct from "scratch codes"? If so, I suggest a more distinct name like "30-second codes". If not, it sounds as if I would be unable to use Wikipedia more than five times. Art LaPella (talk) 01:03, 13 November 2016 (UTC)

YES! The scratch codes are a one-time batch of codes, I'll make a picture. — xaosflux Talk 01:13, 13 November 2016 (UTC)

Setting up / 'transferring authentication'

This wording is vague, and somewhat misleading. To program a different code generator to produce legitimate verification codes, you do NOT need the scratch codes... you need the 'two factor account name' and 'two-factor secret key' that were supplied when enabling 2FA, directly below the QR code (which is itself the exact same information). It's the same information you would use to manually program a device to begin with, if unable to scan the QR code. With that information, you can program another device (or multiple devices, though you should not) the produce legitimate codes at any time.

Just to make it 'clear', the 'what you have' here is not actually your device... it is the account name, secret key, correct time, and knowledge of the algorithm.
Also, it should probably be made clear that generating codes on a device (like your computer) that you use to login to the wiki significantly weakens the security. Revent (talk) 09:12, 13 November 2016 (UTC)
@Revent: I re-wrote several sections - do you see anything else to add? — xaosflux Talk 16:49, 13 November 2016 (UTC)
@Xaosflux: There has been FUD about this already (see en:Wikipedia:Administrators'_noticeboard#Mass_message_draft, and my being told on IRC that a dewiki functionary was telling people this required a smartphone) so putting a basic explanation on the lowest level possible would be best. I'd say 'define' a token (the 6 digit code) as early as possible, and use the term consistently... even the most basic primer would be helpful, frankly. Tokens are a one-time pad that your 'whatver generates from the secret. Revent (talk) 18:40, 13 November 2016 (UTC)

"... or other authentication device"

Like for instance? --Gereon K. (talk) 23:22, 13 November 2016 (UTC)

@Gereon K.: the authentication device can be anything you can install a TOTP client on. It does not requires a data connection, or access to the telephone network. Clients can be installed on smart phones, tablets, even desktop computers. — xaosflux Talk 00:05, 14 November 2016 (UTC)
You could even build a web-based TOTP (See proof of concept here. I strongly recommend against loading a real account to that server though! — xaosflux Talk 00:08, 14 November 2016 (UTC)
So I would have to install a third party software to log in to Wikipedia? Ok, another way to safe editing would be to never become as known and important that someone would regard you as worth hacking. --Gereon K. (talk) 07:07, 14 November 2016 (UTC)

I'm confused too... The link w:en:Google_Authenticator#Implementations provides a very long list of little use. Can we directly mention any FLOSS option that people have, e.g. on f-droid? The infobox of that article also states that Google Authenticator is proprietary. I assume we're not requiring anyone to use proprietary stuff to login on Wikimedia wikis, so it would be useful to link some page which explains what's the thing which is actually required. Nemo 15:51, 16 November 2016 (UTC)

w:en:Wikipedia:Simple_2FA has some more examples, feel free to work them in to the help page. — xaosflux Talk 22:37, 16 November 2016 (UTC)
To be totally honest, it would be far better if the meta page looked more like that. If people want the theory of 2FA then there's probably a wiki page for that, this should be an actual "help" page :P – Ajraddatz (talk) 22:47, 16 November 2016 (UTC)
Not too much jargon and jokes though - this is meant to be translated to every language. Theory can come out though - just the howto. — xaosflux Talk 23:03, 16 November 2016 (UTC)
If freeotp/authy do what is stated, we should directly link those from here. There is no good reason to advertise proprietary software on Wikimedia documents. Nemo 06:57, 17 November 2016 (UTC)

WMF hosted solutions

I've created Phab:T150646 Create a Wikimedia hosted two-factor authentication app for multiple platforms. It may be that the WMF should host their own solution, or perhaps there are excellent strategic reason why this is not needed. I suggest those with serious concerns either way subscribe to the task on Phabricator. Something like this is unlikely to be resolved overnight, but it would be very relevant to kick around the strategy before considering a wider roll-out of 2FA to the community. -- (talk) 10:53, 14 November 2016 (UTC)

How to login to AWB?

So just how do we login to AWB after enabling 2FA? I keep getting "Login aborted" with no sign whatsoever as to how to resolve it. Timrollpickering (talk) 11:01, 17 November 2016 (UTC)

I think BotPasswords should be used for that. however BotPasswords limits the capabilities of the accounts. I've filled phab:T150582 for AWB to support 2fa. Regards. —MarcoAurelio 11:08, 17 November 2016 (UTC)
BotPasswords just seems to talk about, well, bots. It's utterly incomprehensible. Timrollpickering (talk) 11:10, 17 November 2016 (UTC)
Yes, it's mainly for bots and I agree it might be difficult to understand. Maybe others with more experience on those fields such as @TheDJ, Anomie, and Reedy could share. Regards, —MarcoAurelio 11:35, 17 November 2016 (UTC)
@Timrollpickering: BotPasswords can be a little complex - I've written a guide here which may help -- samtar talk or stalk 12:45, 17 November 2016 (UTC)
@Timrollpickering: (e/c) The short answer that you are seeking is: A Bot password allows you to bypass 2FA, and you need this because AWB does not yet support 2FA.
Longer answer: A bot password is an alternate password for your account. Next to your main password, you can have multiple 'bot passwords' that will allow you to login as well. Where it says bot, you should interpret that as: "anything but you sitting behind a keyboard logging into the Wikipedia website using your browser".
A bot password is generated for you by Wikimedia, instead of you getting to pick it yourself. It will be sufficiently complicated that it will allow you to skip the 2FA step. Additionally, it will only be allowed to do those actions that you give it explicitly permission to do on your behalf. You can revoke the password if you no longer use it or if your bot has been compromised etc..
The reason you need to use these, is because AWB only handles username/password authentication. This is for historic reasons, because the proper way for AWB to integrate with your account is something that it does not yet support, named en:OAuth. So a bot password is basically a more secure way for '3rd party' applications to login with username and password infrastructure until the time where the application is able to start using OAuth. —TheDJ (talkcontribs) 12:54, 17 November 2016 (UTC)
Another benefit of bottpasswords and oauth grants is that you can set that logon to not be a full administrator - for most AWB use you only need to give it editing access. — xaosflux Talk 15:36, 17 November 2016 (UTC)

SMS or phone-based codes?

Having this option would be great, as many other websites do. Just in case the TOTP client stops working for the user and the scratch codes are really hidden somewhere. - Mailer Diablo (talk) 04:05, 19 November 2016 (UTC)

The cost of SMS is significant I believe. Not sure if it would be prohibitive, but something to be considered. Also it would require us to store phonenumbers, which is another set of sensitive data. Lastly, it's not safe enough anymore. —TheDJ (talkcontribs) 14:11, 19 November 2016 (UTC)

No scratch codes available

Hi, a question, I can't log in anymore due to my phone having died and lost everything that was there (including Google Authenticator settings). Scratch codes were there too - my fault - so I have no way to log in anymore right now. How should I proceed with this? (I can share my contact details if needed). -- Angelo --90.74.141.34 22:40, 23 December 2016 (UTC)

Are you claiming to be Special:CentralAuth/Angelo? How did you even enroll - you don't appear to be in any of the pilot groups. — xaosflux Talk 05:04, 24 December 2016 (UTC)
Regardless, you would need to convince a developer that you are who you claim to be, and convince them to assist. Do you have email enabled? — xaosflux Talk 05:06, 24 December 2016 (UTC)
No, I am User:Angelo.romano. I have email enabled (angelo [dot] romano [at] gmail [dot] com, namely). --82.53.104.159 21:35, 24 December 2016 (UTC)
Do you still have access to Phabricator? —MarcoAurelio 09:01, 26 December 2016 (UTC) I queried Phabricator and I see no username for your account nor LDAP connections at wikitech. Unless some developers (ping @Reedy) can find a way to confirm your identity and delete the OAuth row for your account, I'm afraid your account will remain locked, which would be a pitty. —MarcoAurelio 10:34, 26 December 2016 (UTC)

logging in on Safari for iOS

Hi, I'm having trouble logging in on Safari on iOS. Chrome for iOS works fine. Could this be connected to TFA? Thanks, --Gnom (talk) Let's make Wikipedia green! 10:13, 27 December 2016 (UTC)

What appears different for you? Are you seeing the 2FA entry screen after you successfully put in your password? — xaosflux Talk 20:14, 27 December 2016 (UTC)
Hi Xaosflux, I'm sorry I left this out: Here's the error message that I get when I try to log in. --Gnom (talk) Let's make Wikipedia green! 08:44, 28 December 2016 (UTC)
Gnom I don't read that language - but that appears to be the password screen, not the 2fa screen. Are you ever getting TO the 2fa input screen? — xaosflux Talk 03:37, 31 December 2016 (UTC)
Hi Xaosflux, I am not even getting to the 2fa input screen. The message reads, There seems to be a problem with your login session; this action has been canceled as a precaution against session hijacking. Go back to the previous page, reload that page and then try again.. --Gnom (talk) Let's make Wikipedia green! 12:48, 31 December 2016 (UTC)
Seems to be the same problem as reported on de-wiki. Clearing Wikimedia/Wikipedia cookies can help. Stryn (talk) 13:54, 31 December 2016 (UTC)
That did the trick – thanks, Stryn! Also pinging AKlapper. All the best for the new year, --Gnom (talk) Let's make Wikipedia green! 14:10, 31 December 2016 (UTC)
For Firefox 50 I would have guessed phab:T151770. Not sure in this case. :-/ --AKlapper (WMF) (talk) 15:19, 31 December 2016 (UTC)