Research and, if possible integrate U2F authentication as a method for two-factor authentication.
Some quick notes for when this is started:
- U2F only works in Google Chrome at the moment, as it requires speaking to the actual device.
- Yubico provides libraries and a standalone server for U2F. It'd probably be best to have options for both.
- PHP library: https://github.com/Yubico/php-u2flib-server and https://developers.yubico.com/U2F/Libraries/Using_a_library.html
- Standalone server: https://developers.yubico.com/u2fval/ and https://developers.yubico.com/U2F/Standalone_servers/U2FVAL_REST_API.html and https://github.com/Yubico/u2fval-client-php
I do note, just getting wider deployment of OATHAuth would be an easier (and quicker) win. I just filed T166622 as I can't find a current task...
I'm not 100% sure whether U2F would work better for some people, or just cause confusion. Or if just providing another option is a good idea generally (which I think it probably is)
We know of a few usability and social issues filed in MediaWiki-extensions-OATHAuth that we want to get fixed at some point