Problem: Available 2FA for all concerned editors. Everyone should have additional security on their account if they so desire. Why is it just limited to users with advanced permissions?
Who would benefit: Currently these user group's still vulnerable (Template editor,Mass message sender,Ipblock-exempt,Edit filter managers,Pending changes reviewer,rollbacker,autoreviewer,patroller). And all the concerned editors who dont like to be hacked.
Proposed solution: First, enable the "existing" 2 factor authentication for these user groups. Then make "Toolforge" enough capable so that it can provide "2fa" service for all editors.
I support this wholeheartedly. I even duplicated it here before realizing this had been started. But, better security should be for everyone on Wiki, not just a selected few groups. 2FA should be available to everyone. DaneGeld (talk) 19:32, 10 November 2018 (UTC)[reply]
This needs better ways to revoke and reset credentials, and also being able to test the solution to see if the user fully understands how it work. No, it is not a real solution to email a reset link or to SMS additional codes, but it could be sufficient during a one-day or one-week training phase. — Jeblad08:15, 18 November 2018 (UTC)[reply]
When my phone with authenticator on it died, I lost the ability to access my account. Will I agree all functionaires should use 2FA would need to check to see if there is resources to support all editors. Doc James (talk · contribs · email) 03:58, 20 November 2018 (UTC)[reply]
What Doc James said is the exact reason this has not happened yet: 2FA reset can currently only be done by developers, which does not scale. The problem is being worked on and 2FA for everyone who wants it is definitely the end goal. Until then, if you feel particularly unsafe, you can request membership in the oathauth-tester global group as a temporary workaround (example). --Tgr (talk) 22:30, 25 November 2018 (UTC)[reply]
Hi Tisza Gergő . I've seen your contribution at phabricator. Highly appreciate it. Please give me some info. What's the current status of phab:T195207 ; phab:T180896 & Special:DisableOATHForUser ? What's it actually mean? Does it mean we implemented a "Special page" but it wont work until some specific criteria is fulfilled (triage)? Am i missing something?
whats the most viable solution for these problems, you think?
@Ahm masum: the special page works but there is no limitation on its usage so only extremely highly trusted users can be given access to it (stewards, at best; maybe just staff). IMO that's not good enough for wide deployment and the page needs to be made less powerful (I'm not really involved in the decisionmaking about OATH though so that's just my personal opinion). But understandably people are more worried about making sure that the user who already can use 2FA actually do (since the hijacking of a privileged account is much much more problematic than the hijacking of a couple or even many non-privileged ones), so fixing the special page is lower priority. --Tgr (talk) 18:34, 27 November 2018 (UTC)[reply]
Anyone can already get 2FA access by asking on SRGP. We could make a separate page for requesting 2FA access if needed, maybe one that's simpler where you just add your username (or click a fancy js button that does it for you) and then stewards can assign based on that. The page could also include all the required reading and warning to save the scratch codes. – Ajraddatz (talk) 01:43, 26 November 2018 (UTC)[reply]
Just a heads up that SMS 2FA will not be implemented, it's been against best practices for years because it's very insecure [1], never mind having to deal with saving personal information such as peoples mobile phone numbers. Reedy (talk) 23:33, 6 December 2018 (UTC)[reply]
I understand , as a question of better security , "foundations" current focus is the "advanced user groups". Of course; the hijacking of a privileged account is much much more problematic than the hijacking of a couple or even many non-privileged ones. So here's some idea that i got (inspired from TheDJ) so that both parties could be happy & it won't cost WMF stuff's valuable time.
proposed solution for advanced user groups (just thoughts):
In the "simple 2fa" make a option so that advance users can save their "Emergency tokens/scrath codes" in another location/device (it can be dropbox , lastpass or Keeper). As a additional security give them the ability to "make their own security question & answer's ". It could be stored in the same location. It'll only required when he'll make a "reset" request.
Give them a web interface to request a reset . it could be a special page like "Special:ResetRequest" (SP:RR), similar to Special:DisableOATHForUser or it could be a "pop up" similar to those of fb/googles (as a part of mediawiki software). it could have a "dropdown menu" so that he can select his netive wiki & known admins. it could also have a "textbox area" where the user will write down something & try to prove his identity.
Make that "interface/pop up" conditional , similar to those of fb/googles so that most of the hacker couldn't even make a request.
User needs to enter his name and password to initiate request.
Check if user knows his password
Check if verified email address and password were not changed recently (last 30 days?)
Check if user knows his correct "security answer".
Log if user was still logged in when making the request
Log if request was initiated from known device's,browser or ips.
After all these criteria is fulfilled , the request will be automatically posted in two different place's . one will be the village pump (his netiv wiki) & the other will be the META (Steward_requests/Permissions#Removal_of_access). only after the the local community confirmed his identity , the local admin will ping a steward & he'll made the decision (by executing Special:DisableOATHForUser).
Proposed solution for all the non privileged editors (just thoughts):
Like all the other popular web entity's (Fb/G) , we could make a SMS based authentication as a "Optional Beta Features". Though it's not the most secure way but we must agree that it make the user feel more safer then before.
Like all the other popular web entity's (Fb/G) , we could make a "Saved Device & Login Notification" feature as a "Optional Beta Features". when someone try to login from a unknown device user will get a login notification & SMS.
We could make a cryptographic feature similar to Fb's "Encrypted notification emails" . as a "Optional Beta Features" it'll make the reset & notification email more secure even when the email is compromised. mediawiki could have a function to generate "OpenPGP Public Key" like the way "igolder" do & it could be saved in another location/device (it can be dropbox , lastpass or Keeper).
Most of the suggestions here have nothing to do with the actual wish as stated up top, but FWIW, SMS notification is T150902, and encrypted emails is T12453. --Tgr (talk) 07:04, 10 December 2018 (UTC)
Oppose I think that as it is 2FA is not really robust enough to be allowed for everybody, we still have issues with people getting locked out of their accounts. That and I am generally wary of security measures that require a lot of instructions to follow. Jo-Jo Eumerus (talk, contributions) 10:07, 17 November 2018 (UTC)[reply]
Strong oppose Per Jo-Jo Eumerus, primarily. 2FA over here is hands-down the worst of all I've been used and an aggressive pushing of 2FA (though optional) will lead to more registrations and consequently, more lock-downs. If anybody has a profound interest, he/she can easily request at Steward's Noticeboard (over Meta) to install 2FA on his/her account.Winged Blades of Godric (talk) 15:42, 17 November 2018 (UTC)[reply]
Support Better security should be a priority for all of us, not just those with specific tasks to undertake or roles to fulfill. Every user should be able to choose to use 2FA DaneGeld (talk) 22:47, 18 November 2018 (UTC)[reply]
Oppose While this is a great idea in a security aspect, unless they make a better system to reset 2FA if the scratch codes are lost, I say dont do this. As of right now (as far as I recall) the Wikimedia operations team has to reset 2FA if scratch codes are lost therefore giving anyone access to 2FA could lead to a huge backlog of requests to reset 2FA Zppix (talk) 22:18, 28 November 2018 (UTC)[reply]
.jpg)
Support More security for more users is always a good option. OverlordOdin (talk) 18:25, 16 November 2018 (UTC)
Oppose I think that as it is 2FA is not really robust enough to be allowed for everybody, we still have issues with people getting locked out of their accounts. That and I am generally wary of security measures that require a lot of instructions to follow. Jo-Jo Eumerus (talk, contributions) 10:07, 17 November 2018 (UTC)
Strong oppose Per Jo-Jo Eumerus, primarily. 2FA over here is hands-down the worst of all I've been used and an aggressive pushing of 2FA (though optional) will lead to more registrations and consequently, more lock-downs. If anybody has a profound interest, he/she can easily request at Steward's Noticeboard (over Meta) to install 2FA on his/her account.Winged Blades of Godric (talk) 15:42, 17 November 2018 (UTC)
