Research and, if possible integrate U2F authentication as a method for two-factor authentication.
Some quick notes for when this is started:
- U2F only works in Google Chrome at the moment, as it requires speaking to the actual device.
- Yubico provides libraries and a standalone server for U2F. It'd probably be best to have options for both.
- PHP library: https://github.com/Yubico/php-u2flib-server and https://developers.yubico.com/U2F/Libraries/Using_a_library.html
- Standalone server: https://developers.yubico.com/u2fval/ and https://developers.yubico.com/U2F/Standalone_servers/U2FVAL_REST_API.html and https://github.com/Yubico/u2fval-client-php
I do note, just getting wider deployment of OATHAuth would be an easier (and quicker) win. I just filed T166622 as I can't find a current task...
I'm not 100% sure whether U2F would work better for some people, or just cause confusion. Or if just providing another option is a good idea generally (which I think it probably is)
We know of a few usability and social issues filed in MediaWiki-extensions-OATHAuth that we want to get fixed at some point
@Krenair: If it would be a vulnerabilitiy, the priority would be “high” if I’m not mistaken. I asked why this was lowered from “normal” to “low”, while it asks for an improvment in a security relevant area. In my eyes such a request should have a higher priority than an cat-image-generator.
@DaBPunkt our priorities reflect reality and not aspiration:
See also: https://www.mediawiki.org/wiki/Phabricator/Project_management#Priority_levels
If we have a ticket about a cat-image-generator that no one is actually working on, you are welcome to set that ticket to lowest :)