Talk:Mandatory two-factor authentication for users with some extended rights
Add topicThis page is for discussions related to the Mandatory two-factor authentication for users with some extended rights page. Please remember to:
|  |
Missing notifications
[edit]I've heard that some are unable to use CU/OS now, which indicates that this has gone into effect. However, I don't think that the page's promise of contact[ing] impacted users directly ahead of the change occurred. Why is that, and will the change be delayed to after the notifications have occurred instead of before? Sdrqaz (talk) 01:44, 21 May 2025 (UTC)
- NOTE: The config change has now been reverted in Wikimedia production (i.e. the users without 2FA can use their tools again), whilst we check what went wrong in the planned communication. Some of the communication went out, but apparently not all.
- We will leave the config reverted for at least a week after confirmed-communications have been delivered.
- Thank you Sdrqaz for your note here and phab. Quiddity (WMF) (talk) 23:16, 21 May 2025 (UTC)
- Thank you, Quiddity (WMF). I've not seen the message so maybe it is already clear, but based on Ponyo's reverted message, it may need to be made clearer that Special:OATH needs to be accessed from a wiki where the user has CU/OS. (I know that Help:Two-factor authentication does say that, but it wouldn't hurt to repeat). Sdrqaz (talk) 23:30, 21 May 2025 (UTC)
- Per Special:GlobalGroupPermissions most global groups have oathauth-enable permissions, we should just add that to the global temporary account IP viewer group allowing all CU & OS to enable 2FA via any wiki (e.g. meta when they are reading this page). Johannnes89 (talk) 06:07, 22 May 2025 (UTC)
- Sounds sensible, good idea. Sdrqaz (talk) 17:11, 22 May 2025 (UTC)
- I've added that detail to the page. Thanks again, Sdrqaz. -- Quiddity (WMF) (talk) 17:24, 22 May 2025 (UTC)
- Per Special:GlobalGroupPermissions most global groups have oathauth-enable permissions, we should just add that to the global temporary account IP viewer group allowing all CU & OS to enable 2FA via any wiki (e.g. meta when they are reading this page). Johannnes89 (talk) 06:07, 22 May 2025 (UTC)
- Thank you, Quiddity (WMF). I've not seen the message so maybe it is already clear, but based on Ponyo's reverted message, it may need to be made clearer that Special:OATH needs to be accessed from a wiki where the user has CU/OS. (I know that Help:Two-factor authentication does say that, but it wouldn't hurt to repeat). Sdrqaz (talk) 23:30, 21 May 2025 (UTC)
- As @Quiddity (WMF) mentioned above, we're delaying it - I've just updated the meta page to reflect a new deadline of June 3rd (another 2 weeks after May 20th), in acknowledgement of the communication error. EMill-WMF (talk) 14:08, 22 May 2025 (UTC)
- Thank you! Sdrqaz (talk) 17:11, 22 May 2025 (UTC)
Temporarily disabling 2FA
[edit]When I last changed by 2FA device, I remember temporarily disabling 2FA on my old device, migrating everything to my new device, then enabling 2FA as a new setup on my new device. Would I still be able to do that next time I upgrade, or will I be prevented from disabling 2FA? Thryduulf (talk: meta · en.wp · wikidata) 02:07, 21 May 2025 (UTC)
- You are prevented from taking actions requiring the rights when you have 2FA disabled. You are not prevented from disabling 2FA. Izno (talk) 19:00, 21 May 2025 (UTC)
Comments for security
[edit]- What issues have you had, or seen others have, with two-factor authentication on Wikimedia projects?
- To write down recovery codes, it may be hard for someone to distinguish similar characters like "V" and "U".
- Are there technical security requirements other than 2FA that we should be considering as potential requirements for maintaining privileged access on the wikis?
- Maybe we need to arrange password policies. For example, how about changing Stewards'
(MinimalPasswordLength)to 12 or more?
- Maybe we need to arrange password policies. For example, how about changing Stewards'
- What other user groups or privileges should we be focused on as we look at strengthening our security policies?
- Anyone who has extended privilege should be enforced to set 2FA, in my view.
- What do we most need to be careful about as we go about this work?
- To make improvement on WebAuthn support, please.
- Any other comments or questions you have.
- Thank you for your any effort to secure the Wikimedia project!
--T4NeGMp7P4en (talk) 06:59, 13 September 2025 (UTC)
Extended security testing, dogfooding
[edit]Can we start outlining extended security requirements and spin up a testing group? Compare to EG Google Advanced Protection or Apple Advanced Data Protection, where a user cannot disable MFA and has no 'backup codes'. PERSISTENT.CIRCUMSTANCE (talk) 17:20, 28 October 2025 (UTC)
Adding 'EmailAuth' to 2FA
[edit]Can we have OFF / SUSPICIOUS / ON options for EmailAuth added to the 2FA options? Currently 2FA only offers some TOTP scheme and then some version of WebAuthn, and turning either of these on disables EmailAuth entirely. PERSISTENT.CIRCUMSTANCE (talk) 03:23, 29 October 2025 (UTC)
- See T394105 for past discussion. Tgr (WMF) (talk) 13:50, 31 October 2025 (UTC)
- I'll leave this here for anyone else who would ask for the same thing without finding it on the Phabricator.
- As of today the discussion covers almost everything I would want to bring up. The only thing missing is the lack of discussion surrounding disabling password reset by email. PERSISTENT.CIRCUMSTANCE (talk) 15:42, 31 October 2025 (UTC)