Users should be notified when only two recovery codes are left
Closed, ResolvedPublic
Actions

Description

Probably should be done using Echo

Details

Subject	Repo	Branch	Lines +/-
Add notification when user is running out of recovery codes	mediawiki/extensions/OATHAuth	REL1_41	+123 -4
Add notification when user is running out of recovery codes	mediawiki/extensions/OATHAuth	REL1_43	+123 -4
Add notification when user is running out of recovery codes	mediawiki/extensions/OATHAuth	REL1_42	+123 -4
Add notification when user is running out of recovery codes	mediawiki/extensions/OATHAuth	REL1_39	+233 -4
Add notification when user is running out of recovery codes	mediawiki/extensions/OATHAuth	master	+123 -4

Customize query in gerrit

Related Objects
Search...

Status	Subtype	Assigned	Task
Open		None	T100375 Improve user experience of Two-Factor process
Open		None	T352856 Recovery code improvements
Open		None	T125653 Create new types of notifications
Open		None	T166622 Allow all users on all wikis to use OATHAuth
Resolved		Reedy	T131788 Users should be notified when only two recovery codes are left
Open		None	T150601 Add option to generate new set of recovery codes
Open		None	T232336 Separate recovery codes into a separate MFA method
Open		taavi	T242031 Allow multiple different 2FA devices
Resolved		Reedy	T268564 Convert OATHAuth to AbstractSchema
Resolved		taavi	T330502 Create oathauth_types and oathauth_devices tables
Resolved		Marostegui	T348693 Drop oathauth_users table from production
Open		taavi	T353962 Add new notifications for additional 2FA being enabled/disabled
Open	PRODUCTION ERROR	None	T368468 Cannot switch 2FA method between TOTP and WebAuthn: InvalidArgumentException: User already has a key from a different module enabled (totp)

Event Timeline

• dpatrick created this task.Apr 4 2016, 6:29 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 4 2016, 6:29 PM

• dpatrick added a parent task: T100375: Improve user experience of Two-Factor process.May 27 2016, 2:43 AM

Reedy added a project: Notifications.Sep 16 2016, 11:01 PM

Restricted Application added a project: Collaboration-Team-Triage. · View Herald TranscriptSep 16 2016, 11:01 PM

Reedy updated the task description. (Show Details)Sep 16 2016, 11:01 PM

In OATHAuthKey.php...

		// See if the user is using a scratch token
		if ( !$retval ) {
			$length = count( $this->scratchTokens );
			// Detect condition where all scratch tokens have been used
			if ( $length == 1 && "" === $this->scratchTokens[0] ) {
				$retval = false;
			} else {
				for ( $i = 0; $i < $length; $i++ ) {
					if ( $token === $this->scratchTokens[$i] ) {
						// If there is a scratch token, remove it from the scratch token list
						unset( $this->scratchTokens[$i] );
						$oathrepo = OATHAuthHooks::getOATHUserRepository();
						$user->setKey( $this );
						$oathrepo->persist( $user );
						// Only return true if we removed it from the database
						$retval = self::SCRATCH_TOKEN;
						break;
					}
				}
			}
		}

It should just need the notification stuff plumbing in (after being designed?) somewhere around there

• Catrope added a parent task: T125653: Create new types of notifications.Sep 21 2016, 11:54 PM

Should there also be a way to generate a new set of recovery tokens, or is the "fix" for that to disable and then re-enable OATH?

From a user experience POV it would be nice to be able to list the tokens at any time as well. Google allows this on https://myaccount.google.com/security/signinoptions/two-step-verification and it has been handy in the past for me.

In T131788#2707987, @bd808 wrote:

Should there also be a way to generate a new set of recovery tokens, or is the "fix" for that to disable and then re-enable OATH?

Yeah. Having to disable and re-enable is a bad user experience for sure.

From a user experience POV it would be nice to be able to list the tokens at any time as well. Google allows this on https://myaccount.google.com/security/signinoptions/two-step-verification and it has been handy in the past for me.

@csteipp can maybe comment more, but I don't know if I agree with this. The backup codes are a shared secret between the server and user, and we should avoid communicating shared secrets as much as possible. It'd be better to only show the codes once, and if the user wants to see them again, just generate brand new codes.

In T131788#2708008, @Parent5446 wrote:

It'd be better to only show the codes once, and if the user wants to see them again, just generate brand new codes.

I'd be fine with that solution.

Reedy moved this task from Backlog to Need for Deployment on the MediaWiki-extensions-OATHAuth board.Oct 31 2016, 2:44 PM

TerraCodes subscribed.Nov 12 2016, 9:25 PM

Xaosflux subscribed.Nov 12 2016, 11:52 PM

This comment was removed by Xaosflux.

TheDJ subscribed.Nov 13 2016, 9:44 AM

TheDJ added a subtask: T150601: Add option to generate new set of recovery codes.Nov 13 2016, 9:47 AM

Reedy mentioned this in T145915: OATHAuth OTP shouldn't be stored in cleartext in the DB.Nov 14 2016, 5:21 PM

TheDJ mentioned this in T168064: Possible issue with 2FA tokens.Jun 16 2017, 2:03 PM

Framawiki subscribed.Jun 16 2017, 4:30 PM

Reedy mentioned this in T172079: Allow OATHAuth users with 2FA already enabled to add / switch devices without disabling.Sep 4 2017, 1:52 PM

mxn subscribed.Nov 6 2017, 6:27 AM

Tgr mentioned this in T166622: Allow all users on all wikis to use OATHAuth.Dec 6 2018, 8:22 AM

Tgr mentioned this in T150898: Force OATHAuth (2FA) for certain user groups in Wikimedia production.

MGChecker subscribed.Dec 6 2018, 6:24 PM

Restricted Application added a project: Growth-Team. · View Herald TranscriptDec 6 2018, 6:24 PM

AfroThundr3007730 subscribed.Dec 7 2018, 2:22 AM

A better solution is for MW to just list out the remaining scratch codes left.

In T131788#4808465, @Leaderboard wrote:

A better solution is for MW to just list out the remaining scratch codes left.

I'm not sure how a list somewhere a user isn't going to probably look is a better solution than a notification that they are much more likely to see

Tgr added a parent task: T166622: Allow all users on all wikis to use OATHAuth.Dec 10 2018, 7:07 AM

Reedy mentioned this in T211831: More safety codes for 2FA.Dec 12 2018, 11:40 PM

• Catrope moved this task from Inbox to External on the Growth-Team board.Jan 8 2019, 2:16 AM

MBinder_WMF added a project: Growth-Team-Filtering.Apr 15 2021, 6:59 PM

Aklapper removed a project: Collaboration-Team-Triage.May 25 2021, 9:09 PM

T210075: Send notification when 2FA is disabled/T210963: Send an email when 2FA is disabled do some prep work integrating Notifications

Logicer subscribed.Jul 5 2022, 5:48 AM

Aklapper moved this task from Need for Deployment to Backlog on the MediaWiki-extensions-OATHAuth board.Jul 23 2022, 10:08 AM

Dringsim subscribed.Sep 24 2023, 1:03 PM

Reedy moved this task from Backlog to User Experience on the MediaWiki-extensions-OATHAuth board.Nov 20 2023, 9:56 PM

Reedy added a parent task: T352856: Recovery code improvements.Dec 6 2023, 12:44 PM

Reedy moved this task from Backlog to External on the Notifications board.Dec 22 2023, 6:04 PM

Reedy renamed this task from Users should be notified when only two scratch tokens are left to Users should be notified when only two recovery codes are left.Jan 1 2024, 8:49 PM

Change 990132 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@master] Add notification when user is running out of recovery codes

https://gerrit.wikimedia.org/r/990132

gerritbot added a project: Patch-For-Review.Jan 12 2024, 3:30 PM

This message makes more sense in the context of using a token, so ideally IMO it shouldn't be a notification but an interstitial shown after using up the third-to-last token. If a notification is much easier to add, that makes sense, but not sure that is the case?

Maybe both make sense?

An interstitial is dismissed and it’s gone.

A notification (depending on how you deal with it), can still be there for referencing.

They can result in emails (but looks like we might need to wire that in a little differently; the 2FA ones don’t show in the Notifications tab in preferences. I don’t know if this is because they’re marked system, and actually trigger emails anyway) or via Apps too.

They therefore can work without JS.

And they also result in the user getting some notification such as if they log in via apps (rather than needing to do a separate implementation of the interstitial because they reimplement the login screen).

And also, work for our use cases like Striker (combined with the email notifications), where you can use a recovery code on a “third party” site, so wouldn’t see an interstitial inside MW either…

Reedy mentioned this in T355016: Allow users to customise where they get 2FA related notifications.Jan 14 2024, 9:21 AM

Yeah good points.

Change #990132 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] Add notification when user is running out of recovery codes

https://gerrit.wikimedia.org/r/990132

Change #1085919 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@REL1_43] Add notification when user is running out of recovery codes

https://gerrit.wikimedia.org/r/1085919

Change #1085923 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@REL1_42] Add notification when user is running out of recovery codes

https://gerrit.wikimedia.org/r/1085923

Change #1085924 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@REL1_41] Add notification when user is running out of recovery codes

https://gerrit.wikimedia.org/r/1085924

Change #1085925 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@REL1_39] Add notification when user is running out of recovery codes

https://gerrit.wikimedia.org/r/1085925

Change #1085925 abandoned by Reedy:

[mediawiki/extensions/OATHAuth@REL1_39] Add notification when user is running out of recovery codes

Reason:

nvm

https://gerrit.wikimedia.org/r/1085925

ReleaseTaggerBot added a project: MW-1.44-notes (1.44.0-wmf.2; 2024-11-05).Sat, Nov 2, 12:00 PM

Reedy closed this task as Resolved.Sat, Nov 2, 1:29 PM

Reedy claimed this task.

Change #1085923 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@REL1_42] Add notification when user is running out of recovery codes

https://gerrit.wikimedia.org/r/1085923

Change #1085919 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@REL1_43] Add notification when user is running out of recovery codes

https://gerrit.wikimedia.org/r/1085919

Change #1085924 merged by jenkins-bot: