Meta:Requests for comment/Enable 2FA on meta for all users

From Meta, a Wikimedia project coordination wiki
Jump to navigation Jump to search
An editor has requested comments on the issue described below. Please feel free to share your thoughts.

Statement of the issue[edit]

Basically just what it says on the tin. This will enable any user that purposefully comes here to meta: to activate two-factor authentication. While this is still "experimental" in practice anyone that comes here is getting rubber stamped by stewards and having this enabled. This should eliminate having to have stewards manage the "global testers" group as well. While 2FA is still in beta, people want it. We can include all the warnings etc we want on the sign up page. By enabling this only locally, it should prevent most clueless people from activating it on other projects (compared to if it were enabled globally).


  • Support Support as proposer. — xaosflux Talk 18:39, 29 November 2018 (UTC)
  • I don't think this is sustainable as long there is no scalable process for people to recover their account. Already with the recent push for two-factor authentication for privileged accounts we keep seeing users who lose access to their account and flood IRC or various support channels to get ad hoc support. Nemo 18:51, 29 November 2018 (UTC)
  • Support Support I see benefits and no drawbacks. This should reduce overhead per the proposal and increase security. Slam dunk. Edit conflict: Hm. Maybe there wouldn't be a reduction in overhead...Justin (koavf)TCM 18:51, 29 November 2018 (UTC)
  • I think security folks for now prefer not to allow all users access the 2FA feature IIRC. It is experimental and there's no way to self-recover your account if you happen to loose the 2FA device and the scratch codes (which has surprisingly happened to a lot of experienced people) without having to issue commands directly to the database. If we happen to enable this for all now, I expect the number of requests for 2FA reset to increase a lot, which is a process by itself very sensitive to social engineering. That'd strenghten even more the checks Trust and Safety do before removing 2FA from any account, and I fear many users will effectively loose their accounts (and yes, if they didn't read the instructions it's their problem, still it'd be a problem for us all). I can not oppose because asking people to consider having their accounts more secure is good, but I cannot support now for the above mentioned reasons. Regards, —MarcoAurelio (talk) 18:54, 29 November 2018 (UTC)
    @MarcoAurelio and Nemo bis: - I agree that there is a support problem here - but unless the stewards stop approving anyone who asks what do you see is the difference? — xaosflux Talk 18:56, 29 November 2018 (UTC)
    I cannot reply on behalf of my colleagues, but I do look at CentralAuth data about the user before giving the permission. If the account is too new, I reject the request as it is highly likelly that the user won't know how to use the feature nor what a committed identity is, etc. I think my fellow stewards do the same. Thanks. —MarcoAurelio (talk) 19:02, 29 November 2018 (UTC)
  • @Rschen7754: All users? Even 0-edit users? --Rschen7754 19:18, 29 November 2018 (UTC)
    Perhaps auto-confirmed (which another RfC is looking to change to 4days/5 edits here). — xaosflux Talk 19:30, 29 November 2018 (UTC)
  • I think we should find a middle ground between allowing everyone to access it and requiring people to request it on SRGP. Losing scratch codes is still a serious limitation and would exponentially increase dev time if it was introduced to the general public. What about making a sub-page of SRGP for 2FA access requests, where users just need to read a documentation page and sign their name on a list? We could even have some fancy JS to help them do it, and get them to leave a reason for the request and maybe even have some minimum standards (500 edits across Wikimedia for example). That might be a bit less daunting than an ambiguous request on the big SRGP page. – Ajraddatz (talk) 19:28, 29 November 2018 (UTC)
    @Ajraddatz: "everyone" is a bit much, this would at least require someone to purposefully come here to meta to enable it. (And perhaps require auto-confirmed?). For reference, the last user approved at SRGP had 140 global edits. — xaosflux Talk 19:33, 29 November 2018 (UTC)
    I would be more OK with autoconfirmed. And fair point, I just pulled 500 out of the air. – Ajraddatz (talk) 19:37, 29 November 2018 (UTC)
    @MarcoAurelio and Ajraddatz: if the hold back is because WMF says they can't deal with recovery requests - why are people still being added? Have they given any specific thresholds for number of testers, amount of effort they will commit? — xaosflux Talk 19:41, 29 November 2018 (UTC)
    Under the current system, non-admins need to understand what 2FA is and understand where to request it before being granted access. This means that in practice very few people are added each year, and those that are added generally know what it is and the risks of losing their scratch codes. This means that they do not take up dev time, because they know to save their codes in a secure place. Introducing it more publicly would allow less informed users to activate 2FA, leading to possible issues with forgetting scratch codes and dev time being taken up with account recovery. Or so is the concern. TL;DR there are minimal recovery requests generated under the status quo – Ajraddatz (talk) 19:44, 29 November 2018 (UTC)
    Thanks, If this is a WMF resource issue, I'm OK to shut down this RfC since even if community approved it will get denied. — xaosflux Talk 19:46, 29 November 2018 (UTC)
    We don't need to shut down discussion right away. This shows that there is significant community desire for 2FA to be more accessible, so it's worth us doing something to make life easier on people who want to secure their account. I'll make a table below that shows the various options that have been presented here, and how they would relate to the problem of recovery time. – Ajraddatz (talk) 19:50, 29 November 2018 (UTC)
    "Purposefully come" as 22 million registered users on Meta-Wiki? :) Accounts are global, it doesn't matter much where you enable 2FA. I can't see an automatic threshold as being useful. Even someone with 100k edits may not have a committed identity or any user able to confirm their identity. Nemo 21:53, 29 November 2018 (UTC)
    @Nemo bis: I'd look more at that 4,419 figure one line down. People have "accounts here" that never COME here. Many project editors have never ever heard of meta. If you are a dewiki editor or a fywikt editor, you may usually only use your own project or some others in your language. — xaosflux Talk 00:39, 30 November 2018 (UTC)
  • Neutral Neutral I think there is a non insignificant drawback that needs to be kept in mind. I think 5 scratch codes is too little - considering that at most 2 are needed to remove 2FA. The risk of running out of codes is high - considering that scratch codes are meant for those times when you don't have access to the device - and that one needs to disable and re-enable 2FA to generate another set of scratch codes. I think that concern needs to be resolved before it can be widely deployed. Leaderboard (talk) 12:16, 1 December 2018 (UTC)
  • Support Support. If two-factor authentication is available in the settings, but not advertised elsewhere in the site interface, editors who are familiar with the feature would be able to find it in the same location as most other 2FA-protected applications, while editors who are unfamiliar with the feature would simply not touch it. For editors who aren't aware of 2FA being available through SRGP, this is an increase in security for those who would opt in to 2FA, and doesn't affect those who wouldn't. — Newslinger talk 10:20, 3 December 2018 (UTC)
  • Support Support -- I think should have minimum 50 or 100 edits on Mete. Regards, ZI Jony (Talk) 17:48, 23 December 2018 (UTC)
  • I support Ajraddatz's idea with requirement like IRC/Cloaks#Obtaining a cloak. (TLDR: email verified, 250 edits globally, account older than 3 months, no current block.) (And also another note: "We can include all the warnings etc we want on the sign up page." @ Statement: People don't read the warnings, just like nobody reading Terms of Use.) — regards, Revi 14:06, 19 January 2019 (UTC)
  • Comment Comment I'm still not sure. But autoconfirmed has to be the minimum requirement if the answer ends up as yes. StevenJ81 (talk) 14:56, 23 January 2019 (UTC)
  • Comment Comment recently there are quite many user with admin access can't recover their account because they lost their scratch codes, this reflect well to most people from our community, if admins can make mistake like this, most likely many user will also get these kind of trouble, so I agree with what Nemo bis said.--AldNonymousBicara? 10:56, 4 March 2019 (UTC)
    After thinking about it for so long, and seeing already 5 admins got their account compromised, I decided to Support Support this idea.--AldNonymousBicara? 17:32, 25 March 2019 (UTC)
  • Support Support --Novak Watchmen (talk) 11:17, 4 March 2019 (UTC)
  • Support Support implementation as soon as possible. Vermont (talk) 17:35, 25 March 2019 (UTC)
  • Comment Comment This should be a global RfC not just a Meta RfC. Zppix (talk) 17:51, 25 March 2019 (UTC)
  • Oppose Oppose Problem with 2fa as i have said repeatedly in the past is if you need it reset and have lost scratch codes you have to contact wikimedia operations which then takes a team member off what they are doing to reset it for you Zppix (talk) 17:51, 25 March 2019 (UTC)
    When you made the same objection at Community Wishlist Survey 2019/Bots and gadgets/2FA available for all concerned editors, a WMF staff member said "No it doesn't require Ops." Perhaps Reedy can clarify. — Newslinger talk 06:19, 30 March 2019 (UTC)
    "Ops" traditionally means "SRE", it still doesn't require them (yes, they can do it, but they generally wouldn't be). Anyone with shell access (people who can deploy MW code), along with Trust and Safety (who have been fielding most of the requests anyway). The group of people that can do it is increasing, but they are still relatively limited. Policies and procedures aren't completely in place. TruSa would be best placed to comment whether they have the capacity to support more requests. It's technically easy to solve (removing 2FA - it's just a simple maintenance script to run), but potentially time consuming to field the requests, especially if/when users don't have a confirmed email addresses on their account (or even one at all). The burden of proof gets interesting Reedy (talk) 17:55, 30 March 2019 (UTC)
  • Oppose Oppose until the WMF have sufficient capacity to support the expected volume of support requests. Thryduulf (talk: meta · en.wp · wikidata) 11:20, 27 March 2019 (UTC)
  • Support Support I'm not a 2FA zealot, and for most non-functionary accounts it is overkill (even for the majority of sysops), but if people want it, sure. The fact that people can find meta show that they're informed enough about the Wikimedia movement that we can presume they are aware of the risks. TonyBallioni (talk) 20:31, 10 July 2019 (UTC)