This is sort of similar to (but definitely not the same) as T199118 / T197501. Perhaps doing that bug would be a prerequisite to this one (as it would make it easier to implement this one)

With two factor authentication it doesn't seem to be possible to make session persistent

I'm not sure I understand what you mean. 2FA will last with your current session. You can't make it last independent of your current session, but if you check "remember me" it will last as long as your login status lasts (I think that's 180 days).

Most people will have to use 2-factor auth very rarely:

• When logging in, once every 365 days because they check the "Keep me logged in" checkbox.
• When changing their password or other authentication data.
• When managing BotPasswords.
• When changing their email address.
• (not on Wikimedia sites: if something like GoogleLogin is enabled then linking or unlinking an account for that)

I don't know how you could be running in to this for making edits or other "simple wiki action[s]", unless you log yourself out constantly or never use the "Keep me logged in" checkbox.

Its important to keep in mind here that threat models differ for different users. For some accounts, its the reputation that matters (e.g. in a Role account it probably matters what the person is saying not what they are doing). For others having a method of logging in without 2FA where the account become non-admin is probably sufficient. If we do this bug, its important to keep in mind differing requirements, ensuring that we cater to both groups and create a UI that ensures people select the right security guarantees for their needs.

Hi. Here are my two cents. I'm an interface admin. I never mark on mobile "keep me logged in" because of security - if somebody will "take" my mobile I do not want the account to be used. If 2FA will be forced on interface admins, I'll need to mark it, to avoid 2FA every day. So it will decrement the security, not increment.

In T201784#4497336, @Bawolff wrote:

This is sort of similar to (but definitely not the same) as T199118 / T197501. Perhaps doing that bug would be a prerequisite to this one (as it would make it easier to implement this one)

Probably. Off the top of my head, to do this you'd need a few pieces:

• OATHAuth to be able to effectively remove certain userrights in certain situations. This code could be largely shared with those tasks, and might use the 'UserGetRights' hook.
• OATHAuth's TOTPSecondaryAuthenticationProvider to allow skipping entering the second factor, triggering the above to remove the appropriate userrights.
• Optionally, anything that fails due to missing userrights to test if a re-login without bypassing TOTPSecondaryAuthenticationProvider would help and changing the error message appropriately. But, of course, in a generic manner rather than specific to OATHAuth.

Now this is interesting. I use my account on multiple various devices (more than 10 separate devices including virtual machines and my phone, tablet etc), I always check remember me everywhere I can, although I can't do that with bot logins.

My sessions never last more than 1 day on all of mentioned devices. Every next day I start using WP on any device, I am logged out. I was thinking that's intended since I started experiencing this only ever since I configured 2FA.

It's definitely interesting to see this is more likely a bug than a feature, but I still believe that requiring 2FA confirmation everytime you want to change your password (I believe that might actually already be a case), or change your preferences, or eventually, making your "admin sessions" (yes I know that's not a thing yet) temporary, meaning that even if MW remembered you, some actions like

• block user
• delete
• checkuser
• edit MW global space, CSS / JS etc

should require you to enter 2FA token unless you didn't recently provide it. I think this would increase the security in case that someone got an access to unattended computer of some sysop, who wasn't doing anything on wiki recently, but did check "remember me" in past.

But yeah, if this "remember me" option really is supposed to work even with 2FA, maybe this task could be low priority.

This is basically T197136: Tie certain user rights to elevated security plus T197153: Make some providers optional for reauthentication, with extra configuration options for OATHAuth.

In T201784#4497347, @Petrb wrote:

It's definitely interesting to see this is more likely a bug than a feature, but I still believe that requiring 2FA confirmation everytime you want to change your password (I believe that might actually already be a case), or change your preferences, or eventually, making your "admin sessions" (yes I know that's not a thing yet) temporary, meaning that even if MW remembered you, some actions like

• block user
• delete
• checkuser
• edit MW global space, CSS / JS etc

should require you to enter 2FA token unless you didn't recently provide it. I think this would increase the security in case that someone got an access to unattended computer of some sysop, who wasn't doing anything on wiki recently, but did check "remember me" in past.

Are you sure this is a good thing to do? When patrolling during school education time, I need to block users quickly to stop them from vandalizing, sometimes several IPs on the same time. I do not want system to ask me for token when blocking (and even when blocking firstly). The same with delete.

Instead, let's educate admins to not use "Remember me" on computers they do not own. I don't need to enter 2FA frequently.

In T201784#4497347, @Petrb wrote:

But yeah, if this "remember me" option really is supposed to work even with 2FA, maybe this task could be low priority.

It is and it works. What comes to my mind: Log out do log out you everywhere, not just on this device (including devices you used remember me option).

In T201784#4498305, @Urbanecm wrote:

In T201784#4497347, @Petrb wrote:

It's definitely interesting to see this is more likely a bug than a feature, but I still believe that requiring 2FA confirmation everytime you want to change your password (I believe that might actually already be a case), or change your preferences, or eventually, making your "admin sessions" (yes I know that's not a thing yet) temporary, meaning that even if MW remembered you, some actions like

• block user
• delete
• checkuser
• edit MW global space, CSS / JS etc

should require you to enter 2FA token unless you didn't recently provide it. I think this would increase the security in case that someone got an access to unattended computer of some sysop, who wasn't doing anything on wiki recently, but did check "remember me" in past.

Are you sure this is a good thing to do? When patrolling during school education time, I need to block users quickly to stop them from vandalizing, sometimes several IPs on the same time. I do not want system to ask me for token when blocking (and even when blocking firstly). The same with delete.

Instead, let's educate admins to not use "Remember me" on computers they do not own. I don't need to enter 2FA frequently.

In T201784#4497347, @Petrb wrote:

But yeah, if this "remember me" option really is supposed to work even with 2FA, maybe this task could be low priority.

It is and it works. What comes to my mind: Log out do log out you everywhere, not just on this device (including devices you used remember me option).

I think you didn't read or didn't understand my whole proposal. First of all, this is meant to be an optional feature, so if you don't like it, you don't have to use it. Then, I already said that this would require a 2FA token only if you didn't recently provide it. So if you want to block multiple users and you aren't going to spend 2 days filling up the block form, it wouldn't ask you for a token.

@Petrb I read your proposal and I consider it useless, because what I wrote. I don't think it is a good thing to do. Yes, I understand it is optional, but it will still require some $$$ to invest :). I think it is better to not log in permanently when you do not own the computer than logging in permanently and think something like "well, the software will require 2FA before anything dangerous".

Especially when talking about accounts having advanced privileges, I think even being able to edit is dangerous privilege, because there is always some difference between admin's opinion, logged in user's opinion and IP's opinion.

T153454: Enable BotPasswords (or similar feature) for web/interactive access can be useful thing.

In T201784#4504624, @Urbanecm wrote:

@Petrb I read your proposal and I consider it useless, because what I wrote. I don't think it is a good thing to do. Yes, I understand it is optional, but it will still require some $$$ to invest :). I think it is better to not log in permanently when you do not own the computer than logging in permanently and think something like "well, the software will require 2FA before anything dangerous".

Especially when talking about accounts having advanced privileges, I think even being able to edit is dangerous privilege, because there is always some difference between admin's opinion, logged in user's opinion and IP's opinion.

T153454: Enable BotPasswords (or similar feature) for web/interactive access can be useful thing.

It will require $0 if done by a volunteer and just because it's useless in your, imho limited, use case doesn't mean it's useless for all other users. I stated multiple examples, with very different use-cases than yours where this would be very useful.