Community Tech/LoginNotify
The LoginNotify project aims to improve security on Wikimedia sites by notifying the user when there are multiple unsuccessful attempts to login with that username.
This page documents a project the Wikimedia Foundation's Community Tech team has worked on or declined in the past. Technical work on this project is complete.
We invite you to join the discussion on the talk page. You may track this project's progress on T11838.
Extension:LoginNotify was created by Brian Wolff in 2016; Community Tech will be modifying the extension with new messages and settings, and get the extension ready for deployment.
Description
editThe warning messages are delivered via the user's Echo notifications, email, or both, with a link to a Help page on Mediawiki.org that explains the message, and offers suggestions for what to do next.
There are three types of notifications that can be flagged for the user's attention: Failed login attempts from a known device, failed login attempts from an unknown device, and successful login from an unknown device.
Each notification type can be delivered by web (Echo notifications) or by email. For the failed login attempts, the web notification is on by default. The successful logins, the email notification is on by default. These settings are configurable in the notification preferences.
The extension keeps track of known devices by placing a cookie in the browser. This cookie automatically expires if you don't return to the site within 180 days. If a failed login attempt happens from a new browser, it generates an Echo notification, alerting the user about the login attempt. The other way that we identify known devices is by checking the current IP address subnet against the IP addresses that have been used recently (as stored in a temporary server cache). None of the information is stored in a database, and at no point is any private information revealed publicly, including the attacker’s IP address or location. The WMF Legal and Security teams have reviewed the implementation for compliance with both our Privacy policy and security considerations.
Failed login attempts
editFailed login attempts from a known device
editFor known devices/IPs, we allow up to 5 login attempts before alerting the user about the login attempt, since it's fairly common to mistype or forget a password. If there are 5 or more failed attempts, the notification will say: "There have been 5 failed attempts to log in to your account since the last time you logged in. If this wasn't you, please make sure your account has a strong password." There would be another notification at 10 attempts, 15 attempts and so on.
Failed login attempts from an unknown device
editFor unknown devices/IPs, we alert on every failed attempt. The extension bundles these notifications to avoid spamming users with too many notifications. For example, if there are 3 failed attempts from an unknown device, there will be a single notification, which says: "There have been 3 failed attempts to log in to your account from a new device since the last time you logged in. If this wasn't you, please make sure your account has a strong password." On further attempts, that notification would update to say "4 failed attempts," "5 failed attempts", and so on.
By default, web notifications are turned on for failed login attempts, and email notifications are turned off.
Successful logins
editThis notification send you an email when a user logs in successfully to your account from an unfamiliar device and IP. This is especially helpful for admins or other functionaries who are concerned that their rights might be misused. This notification is off by default. Note that the web notifications are disabled for this feature. The email text says "Someone (probably you) recently logged in to your account from a new device. If this was you, then you can disregard this message. If it wasn't you, then it's recommended that you change your password, and check your account activity."
Links in the notification
editAt the end of each message is a link that says "Change password" in a smaller font; this link points to Special:ChangePassword.
If you click on the notification, it links to Help:Login notifications on Mediawiki.org, which explains the feature and has links for more information on creating a strong password.
Important links
editStatus
editOct 19, 2017
editThere have been several people saying that the notification isn't informative enough, on the talk page and on Phabricator (T174388). The suggestion that people have made is to show the IP and/or location of the successful login. We think that the IP by itself probably wouldn't be very informative to most users, but showing the location would help. In order to do that, we need an extension that fetches geolocation from the IP address, which is being discussed here: T174553. We're going to look into this further.
Aug 18, 2017
editLoginNotify is now live!
June 7, 2017
editLoginNotify is ready for testing on Test Wikipedia! Let us know how the feature works for you on the talk page.
April 24, 2017
editThe extension has been modified to address all of the major issues thus far. We're looking into how emails will be handled and look forward to getting community feedback on this feature soon. The extension is live on the beta cluster. Pending final decision on the thresholds.
March 8, 2017
editWe'll change the notification to include a link to a Mediawiki.org page, which will explain the message, and offer suggestions for what to do next. (Check to see if a page like that already exists.) This page should be translated.