Open main menu

Community Wishlist Survey 2019/Bots and gadgets/2FA available for all concerned editors

< Community Wishlist Survey 2019‎ | Bots and gadgets

 ◄ Back to Bots and gadgets  The survey has concluded. Here are the results!


  • Problem: Available 2FA for all concerned editors. Everyone should have additional security on their account if they so desire. Why is it just limited to users with advanced permissions?
    TOTP login.png
  • Who would benefit: Currently these user group's still vulnerable (Template editor,Mass message sender,Ipblock-exempt,Edit filter managers,Pending changes reviewer,rollbacker,autoreviewer,patroller). And all the concerned editors who dont like to be hacked.
  • Proposed solution: First, enable the "existing" 2 factor authentication for these user groups. Then make "Toolforge" enough capable so that it can provide "2fa" service for all editors.
  • More comments:
  • Phabricator tickets: phab:T166622
  • Proposer: Ahm masum (talk) 13:15, 8 November 2018 (UTC

DiscussionEdit

@Ahm masum: Are you sure that phab:T100373 is the task about this proposal and not phab:T166622 instead? --AKlapper (WMF) (talk) 12:44, 9 November 2018 (UTC)

@AKlapper (WMF): OPP'S, MY BAD . THANKS.--Ahm masum (talk) 21:03, 9 November 2018 (UTC)
  • I support this wholeheartedly. I even duplicated it here before realizing this had been started. But, better security should be for everyone on Wiki, not just a selected few groups. 2FA should be available to everyone. DaneGeld (talk) 19:32, 10 November 2018 (UTC)
  • This needs better ways to revoke and reset credentials, and also being able to test the solution to see if the user fully understands how it work. No, it is not a real solution to email a reset link or to SMS additional codes, but it could be sufficient during a one-day or one-week training phase. — Jeblad 08:15, 18 November 2018 (UTC)
  • When my phone with authenticator on it died, I lost the ability to access my account. Will I agree all functionaires should use 2FA would need to check to see if there is resources to support all editors. Doc James (talk · contribs · email) 03:58, 20 November 2018 (UTC)
  • What Doc James said is the exact reason this has not happened yet: 2FA reset can currently only be done by developers, which does not scale. The problem is being worked on and 2FA for everyone who wants it is definitely the end goal. Until then, if you feel particularly unsafe, you can request membership in the oathauth-tester global group as a temporary workaround (example). --Tgr (talk) 22:30, 25 November 2018 (UTC)
Hi Tisza Gergő . I've seen your contribution at phabricator. Highly appreciate it. Please give me some info. What's the current status of phab:T195207 ; phab:T180896 & Special:DisableOATHForUser ? What's it actually mean? Does it mean we implemented a "Special page" but it wont work until some specific criteria is fulfilled (triage)? Am i missing something?
whats the most viable solution for these problems, you think?
How could we make & MAINTAIN a web interface in such a way so that the "reset process" can't take "wmf stuffs" valuable time?@Tgr:@AKlapper (WMF):@TheDJ: -- Ahm masum (talk) 10:53, 27 November 2018 (UTC)
@Ahm masum: the special page works but there is no limitation on its usage so only extremely highly trusted users can be given access to it (stewards, at best; maybe just staff). IMO that's not good enough for wide deployment and the page needs to be made less powerful (I'm not really involved in the decisionmaking about OATH though so that's just my personal opinion). But understandably people are more worried about making sure that the user who already can use 2FA actually do (since the hijacking of a privileged account is much much more problematic than the hijacking of a couple or even many non-privileged ones), so fixing the special page is lower priority. --Tgr (talk) 18:34, 27 November 2018 (UTC)
  • Anyone can already get 2FA access by asking on SRGP. We could make a separate page for requesting 2FA access if needed, maybe one that's simpler where you just add your username (or click a fancy js button that does it for you) and then stewards can assign based on that. The page could also include all the required reading and warning to save the scratch codes. – Ajraddatz (talk) 01:43, 26 November 2018 (UTC)
  • Just a heads up that SMS 2FA will not be implemented, it's been against best practices for years because it's very insecure [1], never mind having to deal with saving personal information such as peoples mobile phone numbers. Reedy (talk) 23:33, 6 December 2018 (UTC)
  • I understand , as a question of better security , "foundations" current focus is the "advanced user groups". Of course; the hijacking of a privileged account is much much more problematic than the hijacking of a couple or even many non-privileged ones. So here's some idea that i got (inspired from TheDJ) so that both parties could be happy & it won't cost WMF stuff's valuable time.

proposed solution for advanced user groups (just thoughts):

  1. In the "simple 2fa" make a option so that advance users can save their "Emergency tokens/scrath codes" in another location/device (it can be dropbox , lastpass or Keeper). As a additional security give them the ability to "make their own security question & answer's ". It could be stored in the same location. It'll only required when he'll make a "reset" request.
  2. Give them a web interface to request a reset . it could be a special page like "Special:ResetRequest" (SP:RR), similar to Special:DisableOATHForUser or it could be a "pop up" similar to those of fb/googles (as a part of mediawiki software). it could have a "dropdown menu" so that he can select his netive wiki & known admins. it could also have a "textbox area" where the user will write down something & try to prove his identity.
  3. Make that "interface/pop up" conditional , similar to those of fb/googles so that most of the hacker couldn't even make a request.

User needs to enter his name and password to initiate request.

    • Check if user knows his password
    • Check if verified email address and password were not changed recently (last 30 days?)
    • Check if user knows his correct "security answer".
    • Log if user was still logged in when making the request
    • Log if request was initiated from known device's,browser or ips.

After all these criteria is fulfilled , the request will be automatically posted in two different place's . one will be the village pump (his netiv wiki) & the other will be the META (Steward_requests/Permissions#Removal_of_access). only after the the local community confirmed his identity , the local admin will ping a steward & he'll made the decision (by executing Special:DisableOATHForUser).

Proposed solution for all the non privileged editors (just thoughts):

  1. Like all the other popular web entity's (Fb/G) , we could make a SMS based authentication as a "Optional Beta Features". Though it's not the most secure way but we must agree that it make the user feel more safer then before.
  2. Like all the other popular web entity's (Fb/G) , we could make a "Saved Device & Login Notification" feature as a "Optional Beta Features". when someone try to login from a unknown device user will get a login notification & SMS.
  3. We could make a cryptographic feature similar to Fb's "Encrypted notification emails" . as a "Optional Beta Features" it'll make the reset & notification email more secure even when the email is compromised. mediawiki could have a function to generate "OpenPGP Public Key" like the way "igolder" do & it could be saved in another location/device (it can be dropbox , lastpass or Keeper).

It's just some thought that i wanted to share. I have no expertise in these fields. please excuse my noviceness.THANKS --- Ahm masum (talk) 20:37, 29 November 2018 (UTC)

Most of the suggestions here have nothing to do with the actual wish as stated up top, but FWIW, SMS notification is T150902, and encrypted emails is T12453. --Tgr (talk) 07:04, 10 December 2018 (UTC)

VotingEdit

  •   Support More security for more users is always a good option. OverlordOdin (talk) 18:25, 16 November 2018 (UTC)
  •   Support SEMMENDINGER (talk) 19:15, 16 November 2018 (UTC)
  •   Support James Martindale (talk) 19:25, 16 November 2018 (UTC)
  •   Support StudiesWorld (talk) 19:36, 16 November 2018 (UTC)
  •   Support Tom Ja (talk) 19:47, 16 November 2018 (UTC)
  •   Support Wostr (talk) 19:55, 16 November 2018 (UTC)
  •   Support XXBlackburnXx (talk) 19:58, 16 November 2018 (UTC)
  •   Support George Ho (talk) 20:30, 16 November 2018 (UTC)
  •   Support Jeroen N (talk) 23:37, 16 November 2018 (UTC)
  •   Support Definitely appropriate and necessary. Thanks for this suggestion. Super Wang on zhwiki (Share your opinions) 23:58, 16 November 2018 (UTC)
  •   Support Meisam (talk) 00:04, 17 November 2018 (UTC)
  •   Support Cohaf (talk) 00:17, 17 November 2018 (UTC)
  •   Support — JJMC89(T·C) 00:21, 17 November 2018 (UTC)
  •   Support The Grid (talk) 01:57, 17 November 2018 (UTC)
  •   Support Rschen7754 02:28, 17 November 2018 (UTC)
  •   Support Ellery (talk) 02:40, 17 November 2018 (UTC)
  •   Support Liuxinyu970226 (talk) 03:42, 17 November 2018 (UTC)
  •   Support Enterprisey (talk) 04:06, 17 November 2018 (UTC)
  •   Support Hiàn (talk) 04:43, 17 November 2018 (UTC)
  •   Support 4nn1l2 (talk) 05:49, 17 November 2018 (UTC)
  •   Support Fabiorahamim (talk) 07:00, 17 November 2018 (UTC)
  •   Support Kpgjhpjm (talk) 09:00, 17 November 2018 (UTC)
  •   Support ديفيد عادل وهبة خليل 2 (talk) 09:18, 17 November 2018 (UTC)
  •   Support Afernand74 (talk) 09:36, 17 November 2018 (UTC)
  •   Support 水瀬悠志 (talk) 09:38, 17 November 2018 (UTC)
  •   Support ZellmerLP (talk) 09:59, 17 November 2018 (UTC)
  •   Oppose I think that as it is 2FA is not really robust enough to be allowed for everybody, we still have issues with people getting locked out of their accounts. That and I am generally wary of security measures that require a lot of instructions to follow. Jo-Jo Eumerus (talk, contributions) 10:07, 17 November 2018 (UTC)
  •   Support Like tears in rain (talk) 11:14, 17 November 2018 (UTC)
  •   Support Martin Urbanec (talk) 13:51, 17 November 2018 (UTC)
  •   Support Sakretsu (talk) 14:28, 17 November 2018 (UTC)
  •   Strong oppose Per Jo-Jo Eumerus, primarily. 2FA over here is hands-down the worst of all I've been used and an aggressive pushing of 2FA (though optional) will lead to more registrations and consequently, more lock-downs. If anybody has a profound interest, he/she can easily request at Steward's Noticeboard (over Meta) to install 2FA on his/her account.Winged Blades of Godric (talk) 15:42, 17 November 2018 (UTC)
  •   Support Blue Rasberry (talk) 15:47, 17 November 2018 (UTC)
  •   Support Micru (talk) 16:04, 17 November 2018 (UTC)
  •   Support Cabayi (talk) 17:24, 17 November 2018 (UTC)
  •   Support Amir (talk) 19:01, 17 November 2018 (UTC)
  •   Support JAn Dudík (talk) 20:04, 17 November 2018 (UTC)
  •   Support Yamaha5 (talk) 20:34, 17 November 2018 (UTC)
  •   Support MehdiTalk 20:36, 17 November 2018 (UTC)
  •   Support Fatemi 20:41, 17 November 2018 (UTC)
  •   Support This would be move towards securing accounts of more and more Wikipedians. SshibumXZ (talk) 21:05, 17 November 2018 (UTC)
  •   SupportAmmarpad (talk) 21:16, 17 November 2018 (UTC)
  •   Support Imzadi 1979  05:10, 18 November 2018 (UTC)
  •   Support Temp3600 (talk) 05:41, 18 November 2018 (UTC)
  •   Support Poya-P (talk) 06:14, 18 November 2018 (UTC)
  •   Support — Newslinger talk 07:42, 18 November 2018 (UTC)
  •   Support فرهنگ2016 (talk) 10:40, 18 November 2018 (UTC)
  •   Support Sunfyre (talk) 13:56, 18 November 2018 (UTC)
  •   Support stwalkerster (talk) 17:14, 18 November 2018 (UTC)
  •   Support Pepe piton (talk) 17:48, 18 November 2018 (UTC)
  •   Support Hyperik (talk) 20:26, 18 November 2018 (UTC)
  •   Support Stryn (talk) 21:51, 18 November 2018 (UTC)
  •   Support Better security should be a priority for all of us, not just those with specific tasks to undertake or roles to fulfill. Every user should be able to choose to use 2FA DaneGeld (talk) 22:47, 18 November 2018 (UTC)
  •   Support Titore (talk) 02:20, 19 November 2018 (UTC)
  •   Oppose My ability to edit wikipedia should not depend on my ability to remember an arbitrary string of numbersFR30799386 (talk) 07:10, 19 November 2018 (UTC)
You don't need to remember the numbers, your 2FA app will give you the numbers you need. --Terra  (talk) 15:32, 20 November 2018 (UTC)
  •   Support ·addshore· talk to me! 10:00, 19 November 2018 (UTC)
  •   Support Trizek from FR 10:23, 19 November 2018 (UTC)
  •   Support but improve UI/documentation and work on phab:T180896TheDJ (talkcontribs) 10:38, 19 November 2018 (UTC)
  •   Support Muntashir.islam (talk) 11:33, 19 November 2018 (UTC)
  •   Support - tucoxn\talk 14:17, 19 November 2018 (UTC)
  •   Support Courcelles 15:06, 19 November 2018 (UTC)
  •   Support Sadads (talk) 17:52, 19 November 2018 (UTC)
  •   Support StringRay (talk) 22:34, 19 November 2018 (UTC)
  •   Support Jamesmcmahon0 (talk) 10:29, 20 November 2018 (UTC)
  •   SupportEjs-80 11:52, 20 November 2018 (UTC)
  •   Support Thibaut120094 (talk) 14:24, 20 November 2018 (UTC)
  •   Strong oppose No easy way to get back into your account if you lose access. --Terra  (talk) 15:48, 20 November 2018 (UTC)
  •   Support Lofhi (talk) 17:37, 20 November 2018 (UTC)
  •   Support Mounir Touzri (talk) 18:44, 20 November 2018 (UTC)
  •   Support CAPTAIN RAJU(T) 22:31, 20 November 2018 (UTC)
  •   Support Novak Watchmen (talk) 00:00, 21 November 2018 (UTC)
  •   Support Vulphere 05:16, 21 November 2018 (UTC)
  •   Support Laboramus (talk) 07:25, 21 November 2018 (UTC)
  •   Support BMK (talk) 10:59, 21 November 2018 (UTC)
  •   Support Arian Talk 18:41, 21 November 2018 (UTC)
  •   Support Just make sure it's opt-in. Topper13009 (talk) 20:06, 21 November 2018 (UTC)
  •   Strong oppose per TerraCodes. Nihlus 22:16, 21 November 2018 (UTC)
  •   Support Krinkle (talk) 01:45, 22 November 2018 (UTC)
  •   Support CosmosAway (talk) 14:52, 22 November 2018 (UTC)
  •   Support Sebari – aka Srittau (talk) 19:48, 22 November 2018 (UTC)
  •   Support More security always is good SalmanZ (talk) 21:09, 22 November 2018 (UTC)
  •   Support Bilijin (talk) 06:52, 23 November 2018 (UTC)
  •   Support AnuJuno (talk) 06:54, 23 November 2018 (UTC)
  •   Support MisterSynergy (talk) 10:22, 23 November 2018 (UTC)
  •   Support ~Cybularny Speak? 15:56, 23 November 2018 (UTC)
  •   Support Mbrickn (talk) 21:17, 23 November 2018 (UTC)
  •   Support Sannita - not just another it.wiki sysop 00:28, 24 November 2018 (UTC)
  •   Support Pf1127 (talk) 06:41, 24 November 2018 (UTC)
  •   Support Hmxhmx 10:01, 24 November 2018 (UTC)
  •   Support Gce (talk) 18:53, 24 November 2018 (UTC)
  •   Support Tgr (talk) 22:30, 25 November 2018 (UTC)
  •   Support — AfroThundr (u · t · c) 01:45, 26 November 2018 (UTC)
  •   Oppose Don't like the idea of pushing 2FA. Dreamy Jazz (talk) 08:51, 26 November 2018 (UTC)
  •   Oppose per Jo-Jo Eumerus and TerraCodes. NinjaStrikers «» 11:40, 26 November 2018 (UTC)
  •   Support Miles.world (talk) 23:18, 26 November 2018 (UTC)
  •   Support, noting the concerns by opposers. 2FA needs a sane design before being rolled out to the masses. --Izno (talk) 00:42, 27 November 2018 (UTC)
  •   Support Amir E. Aharoni (talk) 12:32, 27 November 2018 (UTC)
  •   Support As long as it's optional ... Daniel Case (talk) 17:53, 27 November 2018 (UTC)
  •   Oppose Ciao • Bestoernesto 01:04, 28 November 2018 (UTC)
  •   Support Yes, please add optional 2FA to help keep accounts from being compromised. Culix (talk) 04:01, 28 November 2018 (UTC)
  •   Oppose While this is a great idea in a security aspect, unless they make a better system to reset 2FA if the scratch codes are lost, I say dont do this. As of right now (as far as I recall) the Wikimedia operations team has to reset 2FA if scratch codes are lost therefore giving anyone access to 2FA could lead to a huge backlog of requests to reset 2FA Zppix (talk) 22:18, 28 November 2018 (UTC)
No it doesn't require Ops. Reedy (talk) 23:31, 6 December 2018 (UTC)