U2F integration for Extension:OATHAuth
Open, LowPublic

Description

Research and, if possible integrate U2F authentication as a method for two-factor authentication.

Parent5446 updated the task description. (Show Details)
Parent5446 raised the priority of this task from to Needs Triage.
Parent5446 added a subscriber: Parent5446.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 25 2015, 9:57 PM

Some quick notes for when this is started:

Tgr added a subscriber: Tgr.Nov 2 2015, 4:50 AM
Restricted Application added a subscriber: StudiesWorld. · View Herald TranscriptDec 19 2015, 2:32 PM
Krenair added a subscriber: Krenair.Mar 8 2016, 7:27 PM

Just pinging to say I saw this and I'm thinking about it.

Krenair added a comment.EditedJun 12 2016, 2:11 AM

I started playing with this a while back using a *heavily* modified fork of OATHAuth. It's nowhere near the point that I'd be comfortable sharing it though.

Wdwd added a subscriber: Wdwd.Nov 21 2016, 6:34 PM

I'm also interested, and intend to take a stab at implementing it sometime over the next few weeks. @Krenair @dpatrick let me know if you've started work on something worth basing my attempt off of.

There was another attempt today to break Wikipedia accounts of several prominent users. This would help us greatly.

I would like to support this request as well, it is very helpful

TheDJ added a subscriber: TheDJ.May 16 2017, 2:58 PM
SPoore added a subscriber: SPoore.May 26 2017, 1:39 PM
Reedy added a subscriber: Reedy.EditedMay 30 2017, 9:16 PM

There was another attempt today to break Wikipedia accounts of several prominent users. This would help us greatly.

I do note, just getting wider deployment of OATHAuth would be an easier (and quicker) win. I just filed T166622 as I can't find a current task...

I'm not 100% sure whether U2F would work better for some people, or just cause confusion. Or if just providing another option is a good idea generally (which I think it probably is)

We know of a few usability and social issues filed in MediaWiki-extensions-OATHAuth that we want to get fixed at some point

revi added a subscriber: revi.Jun 7 2017, 6:49 AM
relrod added a subscriber: relrod.Jun 25 2017, 2:30 AM
Izno triaged this task as Low priority.Mon, Aug 14, 2:47 PM

Why was a security-relevant-task marked as “low”?

Not all security related tickets are vulnerabilities. In particular, this
is a new feature request.

@Krenair: If it would be a vulnerabilitiy, the priority would be “high” if I’m not mistaken. I asked why this was lowered from “normal” to “low”, while it asks for an improvment in a security relevant area. In my eyes such a request should have a higher priority than an cat-image-generator.

TheDJ added a comment.Mon, Aug 14, 9:25 PM

@DaBPunkt our priorities reflect reality and not aspiration:
See also: https://www.mediawiki.org/wiki/Phabricator/Project_management#Priority_levels

If we have a ticket about a cat-image-generator that no one is actually working on, you are welcome to set that ticket to lowest :)

@TheDJ: I see. Now I begin to understand why the WMF never handles the important stuff: Nobody cares about the important stuff, so it is marked as “low”, and because it is marked as “low”, nobody cares about it.

“Though this be madness, yet there is method in 't.”

@DaBPunkt: The Etiquette asks you to have "meta-level discussions on priorities in general" somewhere else. Likely the same for discussing "the WMF".
Thanks in advance for staying on-topic.

Reedy added a comment.Tue, Aug 15, 3:29 PM

@TheDJ: I see. Now I begin to understand why the WMF never handles the important stuff: Nobody cares about the important stuff, so it is marked as “low”, and because it is marked as “low”, nobody cares about it.

“Though this be madness, yet there is method in 't.”

Patches are welcome.