See also: Requests for comment/Expand two-factor verification as an option for all users on all wikis

These are configured in here in InitialiseSettings.php.

Farsi Wikipedia already allows templateeditor users to use 2FA ('+fawiki' => [ 'templateeditor' ],) so you can expand that line to add rollbackers and extendedconfirmed and that will let them enable 2FA on their accounts.

However please make sure that the users understand the consequences of enabling 2FA with regards to the scratch codes and the authentication device. Make sure they understand that they need to keep the scratch codes in a safe place, etc. It is unlikely that Trust-and-Safety will be doing 2FA resets for large numbers of accounts.

@MarcoAurelio I will create a detailed Help page on fawiki first, so that users are aware of the process and the consequences. Then I will submit a patch to add those two groups.

Thanks. You might find https://meta.wikimedia.org/wiki/Help:Two-factor_authentication useful as well.

Change 392224 had a related patch set uploaded (by Huji; owner: Huji):
[operations/mediawiki-config@master] Expand the access to 2FA on fawiki

https://gerrit.wikimedia.org/r/392224

I updated https://fa.wikipedia.org/wiki/ویکی‌پدیا:اعتبارسنجی_دومرحله‌ای to include warnings about the case where a user with 2FA would lose their access to the token generating app. I also submitted a patch. Once approve, I will make an announcement on fawiki, reminding the users about which groups have been added and a reference to the cautionary words

Pinging Trust-and-Safety to notify we increase the probability of reset requests.

Security-Team you're fine with such community requests to adapt target user groups?

https://quarry.wmflabs.org/query/23119 shows the current size of various user groups in fawiki. This request is adding ~800 new members to the 2FA group. Currently, we only have ~40 users with 2FA access at fawiki. It is expected that most of the 800 new users will not use 2FA for now, but still it is fair to assume that the number of people using 2FA at fawiki at least doubles in the short term.

Can I remind Security-Team to take a look at this and either approve or deny?

In my humble opinion, the biggest bottleneck here is increase in number of requests of 2FA reset. I can help Su&Sa with both communication and technical matters. I know a little bit about social engineering and keep that in mind in resetting anyone's 2FA (I also know most prominent users in person, that makes things easier). I hope @Jalexander is fine with it.

Security-wise, it doesn't seem so much of a hassle, specially since we have rather special situation with Persian Wikipedia, it increases security and safety of the users in the real world.

In T180648#3958666, @Huji wrote:

Can I remind Security-Team to take a look at this and either approve or deny?

Our biggest concern is handling the increased volume of reset requests (along with the fact that procedures about reset requests are bit missing). If SuSa is ok with handling that (big if. I have no idea what their opinion is on this), then I don't think Security-Team has any objections to this request.

Reiterating the concerns of T180648#3766136 in fine which are shared by @Ladsgroup and @Bawolff as well. I understand Trust-and-Safety has been doing efforts in resetting 2FA from established accounts, but it is unlikely that they will continue to do so on other accounts; with the result of having accounts locked forever.

In T180648#3975238, @Bawolff wrote:

If SuSa is ok with handling that (big if. I have no idea what their opinion is on this), then I don't think Security-Team has any objections to this request.

I'd have to check with my manager. I've unofficially taken this workflow from James since it was pretty infrequent, we'd need to speak about it were that to change.

Change 392224 abandoned by Huji:
Expand the access to 2FA on fawiki

Reason:
Requires approval by the WMF Security Team first.

https://gerrit.wikimedia.org/r/392224

Just an update on this. Support and Safety is in theory very much in support of expanding 2FA to more communities, but currently we are not in the position to support the expected large increase in reset requests.

We need to work toward a sustainable solution to this aspect of 2FA, whatever that may be, before expanding it so widely.

T180896: Allow functionaries to reset second factor on low-risk accounts may be a potential solution to this.

Actually we made a lot of progress in this regard. Now people can disable 2FA via a special page rather than running a maint script in production. As results, the userright to disable 2FA can now be easily[1] expanded to potentially stewards and checkusers to reduce the work from T&S and slowly allow us to roll it out to larger groups (maybe extended confirmed) in some wikis. Persian Wikipedia is actually a good candidate wiki given the sensitivity of editing in Iran or related to Iran.

[1] By easily I mean technically it's easy since it's just a mw config patch now. It probably needs a sign off from some people at WMF plus training to these users on social engineering and requiring 2FA for them and probably security training as well, etc.

Agree that progress has been made on improving support, but as you mentioned there is yet to be a workflow released to production support for non-staff, nor a commitment from staff that they are ready to support significantly expanding the "testers". fawiki could be a good early adopter once that is ready, and extendedconfirmed type groups seems like a good candidate.