Community Wishlist Survey 2017/Admins and stewards/Make 2FA easier to use

• Problem:

We've had Two-factor authentication enabled for admins (and other functionaries) for some time. But MediaWiki's implementation of 2FA is rather clumsy at the moment: the secret and the scratch codes are only shown once, which means a user cannot use multiple token-generating devices (unless the user sets them up all at the same time) and cannot change devices without disabling all existing devices and scratch codes. The common option to remember a device, so that future log-ins only require password but not an authenticator token, is also noticeably absent.

• Who would benefit:

Everybody who wants to use two-factor authentication

• Proposed solution:
  • Change the OATH interface to allow further devices to be added without revoking existing devices and scratch codes.
  • Add a "remember this device" option so that future logins from the same device requires only password.

• More comments:

• Phabricator tickets:
  • phab:T172079

• Proposer: Deryck C. 22:05, 9 November 2017 (UTC)[reply]

• Translations: none yet

Discussion edit

• The latter point, that there is no 'remember' option, is the primary reason I don't use 2FA. I'd love to, but I switch between accounts too often for it to be useful. Samwalton9 (talk) 23:06, 9 November 2017 (UTC)[reply]
• This would certainly be a useful change for 2FA. We should also require that users have an email attached to their account to use 2FA, and allow for 2FA to be removed from an account after confirming in an email rather than using the scratch codes. With that done, the extension could be more widely rolled out. – Ajraddatz (talk) 23:08, 9 November 2017 (UTC)[reply]
• Provided that the account could be recovered by confirming ones password and receiving an email, I think this is fine. Strongly worded setup instructions to encourage the use of a committed identity would be a good idea from the outset. I would like to use 2FA, however I know many people don't, and it will of course be optional. A Den Jentyl Ettien Avel Dysklyver (talk) 14:57, 11 November 2017 (UTC)[reply]
• Only showing 2FA keys once is a standard security feature. It means your 2FA identity cannot be compromised if the attacker gains temporary access to your account (steals your cookies or opens your preferences while you turn your back on your laptop). Changing that seems like a bad idea. Maybe we could allow multiple different keys (with notification emails and everything). For more modern 2FA methods like U2F that will be a requirement anyway.

  Remembering the device is less problematic but with 1-year login durations how much difference does it make? --Tgr (WMF) (talk) 00:53, 17 November 2017 (UTC)[reply]

  How about showing them again, as an elevated action, where you have to enter your existing 2FA again. —TheDJ (talk • contribs) 13:45, 18 November 2017 (UTC)[reply]

  That could work. --Tgr (WMF) (talk) 22:46, 18 November 2017 (UTC)[reply]

  We could also add it to password resets (if it isn't already). Some sites are already doing this. Github calls it sudo mode, Phabricator calls it high security mode. 😂 (talk) 07:52, 6 December 2017 (UTC)[reply]

  We do (for Special:ChangePassword, not Special:PasswordReset of course). Although there's no UI to indicate the "elevated" mode and no way to deactivate it besides waiting for it to expire in (by default) 5 minutes. On the code level, see AuthManager::securitySensitiveOperationStatus() (and also SpecialPage::getLoginSecurityLevel()/SpecialPage::checkLoginSecurityLevel()). Anomie (talk) 15:27, 6 December 2017 (UTC)[reply]

• It's important to improve this, but I don't want to specify specific technical functionality -- one definite need is for easier account recovery. I've also been informed there is no way of setting up 2FA from a Mac interface. DGG (talk) 01:59, 20 November 2017 (UTC)[reply]
• U2F support would indeed be very welcome, as I think it's going to be easier for many less technically inclined people (apart from the need for a physical key, of course). Overall, if several 2FA methods could be supported (including more than one of a type, e.g. registering two U2F keys), that would be ideal and—especially if plain backup codes are supported as well—would also automatically solve the problem with account recovery (besides committed identity, but that may again be too much for some people). The option to remember the device should also help to convince more people that 2FA isn't going to be an unbearable burden (and it's still going to be more secure than using no 2FA whatsoever).
  — Luchesar • T/C 20:24, 28 November 2017 (UTC)[reply]

Voting edit

•   Support Reception123 (talk) 20:06, 27 November 2017 (UTC)[reply]
•   Support — xaosflux ^Talk 20:41, 27 November 2017 (UTC)[reply]
•   Support Strainu (talk) 22:52, 27 November 2017 (UTC)[reply]
•   Support —viciarg⁴¹⁴ 08:09, 28 November 2017 (UTC)[reply]
•   Support ·addshore· ^{talk to me!} 10:35, 28 November 2017 (UTC)[reply]
•   Support --Liuxinyu970226 (talk) 12:46, 28 November 2017 (UTC)[reply]
•   Support — Arkanosis ^✉ 13:28, 28 November 2017 (UTC)[reply]
•   Support Sadads (talk) 13:31, 28 November 2017 (UTC)[reply]
•   Support - Mailer Diablo (talk) 15:17, 28 November 2017 (UTC)[reply]
•   Support Owula kpakpo (talk) 15:42, 28 November 2017 (UTC)[reply]
•   Support AFAIK it conflict with AWB and the mobile app. It should be a priority. --Sannita - not just another it.wiki sysop 15:48, 28 November 2017 (UTC)[reply]
•   Support Husky (talk) 16:13, 28 November 2017 (UTC)[reply]
•   Support --Sakretsu (talk) 16:59, 28 November 2017 (UTC)[reply]
•   Support - Darwin ^Ahoy! 17:01, 28 November 2017 (UTC)[reply]
•   Support — Luchesar • T/C 20:01, 28 November 2017 (UTC)[reply]
•   Support Laboramus (talk) 20:28, 28 November 2017 (UTC)[reply]
•   Support – Ajraddatz (talk) 20:29, 28 November 2017 (UTC)[reply]
•   Support Thomas Obermair 4 (talk) 21:31, 28 November 2017 (UTC)[reply]
•   Support 𝔊 (Gradzeichen Diſk✉Talk) 06:43, 29 November 2017 (UTC)[reply]
•   Support Shanmugamp7 ^(talk) 06:52, 29 November 2017 (UTC)[reply]
•   Support Without polish a feature is broken. time to polish. —TheDJ (talk • contribs) 10:02, 29 November 2017 (UTC)[reply]
•   Support Joshualouie711 (talk) 19:32, 29 November 2017 (UTC)[reply]
•   Support EVinente (talk) 19:44, 29 November 2017 (UTC)[reply]
•   Support Patar knight^chat/_{contributions} 20:44, 29 November 2017 (UTC)[reply]
•   Support Javad|Talk (8 Azar 1396) 21:17, 29 November 2017 (UTC)[reply]
•   Support Mhollo (talk) 23:19, 29 November 2017 (UTC)[reply]
•   Support George Ho (talk) 01:13, 30 November 2017 (UTC)[reply]
•   Support — putnik 01:29, 30 November 2017 (UTC)[reply]
•   Support Nihlus 04:52, 30 November 2017 (UTC)[reply]
•   Support Another Yes Please. — regards, Revi 06:16, 30 November 2017 (UTC)[reply]
•   Support --OrsolyaVirág (talk) 19:34, 30 November 2017 (UTC)[reply]
•   Support ديفيد عادل وهبة خليل 2 (talk) 20:53, 1 December 2017 (UTC)[reply]
•   Support Ckoerner (talk) 21:23, 1 December 2017 (UTC)[reply]
•   Support Amir (talk) 00:45, 2 December 2017 (UTC)[reply]
•   Support J947 03:39, 2 December 2017 (UTC)[reply]
•   Support Terra ❤ ^(talk) 06:28, 2 December 2017 (UTC)[reply]
•   Support Wostr (talk) 10:02, 2 December 2017 (UTC)[reply]
•   Support Emir of Wikipedia (talk) 15:32, 2 December 2017 (UTC)[reply]
•   Support Петър Петров (talk) 16:04, 2 December 2017 (UTC)[reply]
•   Support TheCatalyst31 (talk) 16:51, 2 December 2017 (UTC)[reply]
•   Support Kostas20142 (talk) 21:13, 2 December 2017 (UTC)[reply]
•   Support --Philippe (talk) 21:15, 2 December 2017 (UTC)[reply]
•   Support I have 2FA on my account and it's definitely not the most intuitive of things - anything that makes it easier to be taken up more widely has to be a good thing. Boing! said Zebedee (talk) 21:23, 2 December 2017 (UTC)[reply]
•   Support I don't have 2FA enabled largely because or ease-of-use considerations. Chris Keating (The Land) (talk) 21:29, 2 December 2017 (UTC)[reply]
•   Support [stwalkerster|talk] 22:35, 2 December 2017 (UTC)[reply]
•   Support OlEnglish ^(Talk) 23:56, 2 December 2017 (UTC)[reply]
•   Support I see no reason why this could hurt, and plenty for why it could help. Vanamonde93 (talk) 05:42, 3 December 2017 (UTC)[reply]
•   Support Pretty please. Especially the recovery / disabling procedure needs to provide alternatives for when there are problems with the default flow (e.g. lost mobile device). Waldir (talk) 10:17, 3 December 2017 (UTC)[reply]
•   Support Winged Blades of Godric (talk) 16:25, 3 December 2017 (UTC)[reply]
•   Support rxy (talk) 22:19, 3 December 2017 (UTC)[reply]
•   Support Jon Kolbert (talk) 16:37, 4 December 2017 (UTC)[reply]
•   Support Yeza (talk) 23:12, 4 December 2017 (UTC)[reply]
•   Support (Non-admin / steward) With the 2FA-for-all requests (which I have supported), this proposal is also important. Cocohead781 (talk) 03:27, 6 December 2017 (UTC)[reply]
•   Support JAn Dudík (talk) 13:10, 6 December 2017 (UTC)[reply]
•   Support J36miles (talk) 21:41, 7 December 2017 (UTC)[reply]
•   Support per The Land — NickK (talk) 20:36, 8 December 2017 (UTC)[reply]
•   Support Ruslik (talk) 12:29, 10 December 2017 (UTC)[reply]
•   Support Steinsplitter (talk) 14:13, 10 December 2017 (UTC)[reply]
•   Support Ragesoss (talk) 20:05, 10 December 2017 (UTC)[reply]
•   Support Akau (talk) 05:55, 11 December 2017 (UTC)[reply]
•   Support Ed ^{[talk] [en]} 13:51, 11 December 2017 (UTC)[reply]