Talk:Global sysops/2019
Appearance
Latest comment: 5 years ago by BWolff (WMF) in topic 2FA?
Please do not post any new comments on this page. This is a discussion archive first created in 2019, although the comments contained were likely posted before and after this date. See current discussion. |
2FA?
On 2018-09-12 global sysop became interface-admin equivalents within their wikiset. Would someone from WMF determine if this group should be listed in the "mandatory two-factor authentication" section, and if so ensure that it is included in the manual WMF audit process. Ping to User:BWolff (WMF) who has been involved in similar discussions. — xaosflux Talk 14:03, 1 April 2019 (UTC)
- Alternatively, unbundle those rights from the GS group. (The global editinterface group already exists, although it is not restricted to the GS wikiset.) Was there even a discussion when those rights were added to the GS group? PiRSquared17 (talk) 14:32, 2 April 2019 (UTC)
- I cannot see any point in doing that. GSes commonly handle SRM requests and similar, involving interface edits and there has never been a discussion to not allow them to do this, anymore. --Vogone (talk) 14:39, 2 April 2019 (UTC)
- I Agree with Vogone, and also, increasing the security for GS that manage 400-500 wikis make sense to me.--AldNonymousBicara? 14:57, 2 April 2019 (UTC)
- I agree. There is a relatively frequent need for interface edits on small wikis. And regardless, GS’s should have 2FA enabled. Vermont (talk) 16:20, 2 April 2019 (UTC)
- I followed up with rest of security team - Anyone with editinterface rights has to have 2FA enabled - so all GS's either need 2FA or editinterface needs to be unbundled from this group. BWolff (WMF) (talk) 14:42, 9 April 2019 (UTC)
- I cannot see any point in doing that. GSes commonly handle SRM requests and similar, involving interface edits and there has never been a discussion to not allow them to do this, anymore. --Vogone (talk) 14:39, 2 April 2019 (UTC)
- Question: , is Phab ticket already created to add 2FA to GS group?--AldnonymousBicara? 15:49, 9 April 2019 (UTC)
- Which phab ticket are you talking about? 2FA is an individual user setting. --Vogone (talk) 15:56, 9 April 2019 (UTC)
- Vogone I recall there's a conversation about this, a user who are previously a sysop is not a sysop anymore (temporary sysopship), then got GS access after request, still can not enable 2FA because he's not an admin anywhere, the only thing that user have is GS bit, and still can't enable 2FA.--AldnonymousBicara? 16:09, 9 April 2019 (UTC)
- Then perhaps you should report that, this sounds like a bug. Global sysops should be able to enable 2FA on all of the GS wikis since at least 12 November 2016, and from my own observation this does work for me at least (I just tested by disabling and re-enabling on zuwiki). --Vogone (talk) 17:18, 9 April 2019 (UTC)
- Vogone AFAIK once you enable 2FA it can be enabled again on all wikis, just like authtester. I can no longer check if this true or not, BWolff (WMF) can you confirm this?--AldnonymousBicara? 18:09, 9 April 2019 (UTC)
- Vogone finally got the page and Phab, see here Steward_requests/Global_permissions/2018-12#Global_sysop_for_Esteban16, and Phab:T211532.--AldnonymousBicara? 18:16, 9 April 2019 (UTC)
- Not true, I could not enable 2FA on dewiki for instance (non-GS wiki), just as expected. --Vogone (talk) 18:20, 9 April 2019 (UTC)
- 2FA is a global setting, so once you enable it on one wiki its enabled on all. If you are a global sysop you should be able to enable it on any wiki where the global sysop rights are active (In the emails i sent out I didn't think of just and just said meta, I should have mentioned that). BWolff (WMF) (talk) 19:15, 9 April 2019 (UTC)
- Vogone AFAIK once you enable 2FA it can be enabled again on all wikis, just like authtester. I can no longer check if this true or not, BWolff (WMF) can you confirm this?--AldnonymousBicara? 18:09, 9 April 2019 (UTC)
- Then perhaps you should report that, this sounds like a bug. Global sysops should be able to enable 2FA on all of the GS wikis since at least 12 November 2016, and from my own observation this does work for me at least (I just tested by disabling and re-enabling on zuwiki). --Vogone (talk) 17:18, 9 April 2019 (UTC)
- Vogone I recall there's a conversation about this, a user who are previously a sysop is not a sysop anymore (temporary sysopship), then got GS access after request, still can not enable 2FA because he's not an admin anywhere, the only thing that user have is GS bit, and still can't enable 2FA.--AldnonymousBicara? 16:09, 9 April 2019 (UTC)
- There certainly could be the rare GS that does not have any of the access that allows this on any project at all, but it doesn't matter where you do it from because of SUL - so is this really an actual issue or just a hypothetical one? — xaosflux Talk 19:01, 9 April 2019 (UTC)
- Looks like there is exactly one person in that situation: @MoiraMoira:. I'd happily add sysop on testwiki or test2wiki to let that be immediately fixable. — xaosflux Talk 19:05, 9 April 2019 (UTC)
- Added on testwiki and left MM a talk page note. — xaosflux Talk 19:23, 9 April 2019 (UTC)
- Looks like there is exactly one person in that situation: @MoiraMoira:. I'd happily add sysop on testwiki or test2wiki to let that be immediately fixable. — xaosflux Talk 19:05, 9 April 2019 (UTC)
- Which phab ticket are you talking about? 2FA is an individual user setting. --Vogone (talk) 15:56, 9 April 2019 (UTC)
- @BWolff (WMF): What's the deadline for adding 2FA? I'm not sure I'll have time today to deal with it, is it okay if I do it later this week? PiRSquared17 (talk) 16:24, 9 April 2019 (UTC)
- Yes that's fine. BWolff (WMF) (talk) 16:32, 9 April 2019 (UTC)
- More concretely, please everyone try to have it enabled by this time next week (Not a hard-deadline, but it would make me happy). BWolff (WMF) (talk) 19:15, 9 April 2019 (UTC)
- @BWolff (WMF): Done. By the way, will my committed SHA512 identity on my userpage be sufficient to gain access to my account if I ever lose it? PiRSquared17 (talk) 17:42, 16 April 2019 (UTC)
- So Trust&Safety handles the restoring accounts process. Provided committed identity is done properly, yes it should be enough to restore your account to you (Our internal docs on this are at wikitech:Password_reset/Confirming_identities). But please keep the backup codes somewhere safe, as using those is a much easier process than having to use your committed identity to get your account back. BWolff (WMF) (talk) 06:11, 23 April 2019 (UTC)
- @BWolff (WMF): Done. By the way, will my committed SHA512 identity on my userpage be sufficient to gain access to my account if I ever lose it? PiRSquared17 (talk) 17:42, 16 April 2019 (UTC)
- More concretely, please everyone try to have it enabled by this time next week (Not a hard-deadline, but it would make me happy). BWolff (WMF) (talk) 19:15, 9 April 2019 (UTC)