Page MenuHomePhabricator
Create Task
Maniphest T150646

Create a Wikimedia hosted two-factor authentication app for multiple platforms
Closed, DeclinedPublic
Actions

Description

As open source solutions are available for two-factor authentication (2FA), if the WMF were to host a solution for Wikimedia volunteers, and potentially any other members of the public looking for reliable 2FA apps, this might ease some doubts about the long term maintenance of some of the mobile application alternatives, and ensure that there was a firmly recommended app, without any fear of future advertising or that something dubious was going on with handling the data.

A potential out of the box solution is https://github.com/authy.

If the WMF has already rejected the idea of hosting a 2FA app for multiple platforms, it would be useful for that analysis could be published, showing why this does not fit the WMF strategy, would not be cost effective, or why third party solutions are strategically better for the community.

Event Timeline

Fae created this task.Nov 14 2016, 10:40 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 14 2016, 10:40 AM
Fae awarded a token.Nov 14 2016, 10:47 AM
Arian_Ar subscribed.Nov 14 2016, 11:39 AM
MZMcBride subscribed.Nov 14 2016, 1:58 PM
Anomie subscribed.Nov 14 2016, 3:13 PM

This task seems to be missing an understanding of how exactly TOTP works. In particular, the linked "authy" thing appears to be a much more complex version of 2FA that requires using their third-party service and incorporates TOTP as one of its several options. The TOTP option in their app could be used with the OATHAuth extension, but there would be nothing for WMF to "host" for that to happen.

I see little point for WMF to spend resources in creating a TOTP app when open-source apps like FreeOTP and totp-me already exist.

Xaosflux subscribed.Nov 14 2016, 4:33 PM
Tgr subscribed.Nov 14 2016, 7:26 PM

Agreed this would not be a good use of time. We don't host any browser either and people have no trouble finding one that suits them.

Leveraging our existing mobile apps is an interesting possibility (e.g. if you have Google Apps on your phone and do something 2FA-worthy in a browser, it just shows a notification on the phone and asks you to press OK if it was really you) as it offers a more streamlined UX that would not be possible with a third-party app. Still, it does not offer enough benefit over a random 2FA app to justify the effort IMO.

Ladsgroup awarded a token.Nov 15 2016, 7:37 AM
Aklapper closed this task as Declined.May 22 2020, 3:20 PM
Aklapper edited projects, added WMF-General-or-Unknown; removed Community-IdeaLab.

Declining per previous three comments.

Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:28 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL