Investigate additional password reset methods (apart from email)
Open, LowPublic

Description

If you go to https://en.wikipedia.org/wiki/Special:Preferences, currently the only way to secure your account is email which can send an email if you want to reset your account.. We should increase the privacy/password reset options.

Potential reset methods:

  • We could add support for security questions enabling users that have had there email changed to be able to control there account through security questions, Most sites do this which would add extra security to the users.
  • Also we could add support for Two Factor Authentication using a phone number. The user should have to verify the number first before the number is used for anything on the account. When verified if the users wants to reset via phone then he or she can. They will get a code that they then enter in the form to unlock the account to change password.
Paladox created this task.Dec 20 2015, 6:12 PM
Paladox updated the task description. (Show Details)
Paladox raised the priority of this task from to Needs Triage.
Paladox added a subscriber: Paladox.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptDec 20 2015, 6:12 PM
Reedy renamed this task from Increase privacy settings support to Additional password reset methods.Dec 20 2015, 6:14 PM
Reedy added a project: Security-Team.
Reedy set Security to None.
Reedy added a subscriber: Reedy.

Password reset via text message could be interesting for WMF usage... Finding a provider that's reliable to do so might be good fun

Attaching Security-Team for their input of methods to be implemented

Aklapper renamed this task from Additional password reset methods to Investigate additional password reset methods (apart from email).Dec 20 2015, 6:20 PM
Paladox updated the task description. (Show Details)Dec 20 2015, 6:27 PM
Aklapper updated the task description. (Show Details)Dec 20 2015, 6:31 PM
Reedy added a comment.Dec 20 2015, 6:42 PM

Aren't Security Questions generally considered a bad idea?

Reedy added a comment.Dec 20 2015, 6:43 PM
This comment was removed by Reedy.
Reedy updated the task description. (Show Details)Dec 20 2015, 6:47 PM
Reedy updated the task description. (Show Details)
Reedy added a comment.Dec 20 2015, 6:52 PM

2FA on login via having a text message sent is a bit different to reset via phone number... Roughly the same workflow. I don't know if sending SMS via web services has a standardised way of doing it.. Or we'd just need to implement multiple providers (keeping it OOP-sy) as people require etc

Sounds like something to go into an extension than core itself probably. Whether WMF would want it is another issue

Should wait for the Security guys to give their 2c, of what should be done generally for MW, and on from that, what would be nice for WMF usage

I know Opsen have enough trouble with reliable message delivery for automated notifications. So finding a good provider would be half the battle

Reedy triaged this task as Low priority.Dec 20 2015, 6:53 PM
Reedy added subscribers: csteipp, dpatrick.

@csteipp and @dpatrick, your input is appreciated :D

Bawolff added a subscriber: Bawolff.EditedDec 20 2015, 10:03 PM

2FA on Wikimedia is one of the quarterly goals of the security team for next quarter. (In at least some form. I always assumed it was going to be more of a TOTP sort of thing rather than SMS, but I don't really know the details)

This should also be added to MediaWiki for other users of MediaWiki. They would need to choose who to host there phone provider with.

csteipp added a subscriber: Tgr.Dec 21 2015, 5:30 PM
  • Security questions are almost always a bad idea. They have to be usable, but people tend to make really horrible choices of answers, so brute-forcing (or google the person to find out the address of the first home they owned) has lead to numerous account takeovers.
  • Setting up 2FA, then allowing one factor to be reset by the other means you really only have 1-factor authentication. If we were to setup 2FA using SMS, we would probably not allow that same phone number to be used for password reset as well.

Currently, we have "committed identities" to prove your identity to a steward, or someone who can reset your password. @Tgr is also working on supporting GPG at different points in MediaWiki, and could easily be used for account recovery as well (probably the safest option for account recovery that we have).

Tgr added a comment.Dec 21 2015, 11:40 PM

@Tgr is also working on supporting GPG at different points in MediaWiki, and could easily be used for account recovery as well (probably the safest option for account recovery that we have).

That would be fairly easy to do after AuthManager is out, but I'm not sure I see the use case here. For people who care about security, email reset seems a decent option as there are mainstream email providers (e.g. Google) that do a much better job of securing user accounts than we do, so it's not like email reset would be the weak link in Wikimedia account security. For users who are not security-conscious to the extent that they forget their password AND forget which email address they were using (or forget that password as well), offering two-factor of public key options does not seem useful.