Page MenuHomePhabricator

Force OATHAuth (2FA) for certain user groups in Wikimedia production
Open, NormalPublic

Description

For private and fishbowl wikis, probably all accounts.

For other wikis, on a case-by-case basis.

For SUL wikis, probably the "global groups" of staff, sysadmins, stewards, ombudsmens, global-sysops, abusefilter-helpers, interface-editors, and founder, and the local per-wiki equivalents (at least for bureaucrat, checkuser, suppression, and interface-admin).

For meta, various groups which can make changes with a global effect (like renamer or CentralNotice admin).

For wikitech, users with SSH keys.

This might require some or all of the same UX improvements that block T166622: Allow all users on all wikis to use OATHAuth.

Event Timeline

Restricted Application added subscribers: JEumerus, Matanya, Aklapper. · View Herald TranscriptNov 16 2016, 9:29 PM
Wiki13 added a subscriber: Wiki13.Nov 17 2016, 11:18 AM

editinterface in SUL means all admins, seems like. I've seen concerns that one can easily lose access to an account with 2FA and opposition towards making it mandatory for this and other reasons, so probably needs a consensus first.

Krenair added a subscriber: Krenair.

I'm unconvinced

Tgr updated the task description. (Show Details)Nov 15 2018, 7:28 PM
Tgr updated the task description. (Show Details)Nov 15 2018, 7:31 PM
Tgr added a subscriber: Tgr.

Wikitech accounts in general are fairly harmless. The danger there is taking over a developer account and adding SSH keys, I suppose.

Tgr added a subtask: Restricted Task.Nov 15 2018, 7:33 PM

Well, on enWikipedia a few more issues have been raised:

  • Not everybody has two devices available or is willing/able to pay for them.
  • 2FA is not necessarily legal everywhere in the world.
  • Not everybody can/will download an authenticator software in lieu of two devices, e.g when they are on devices they don't own.
  • Technically complex. In my personal opinion, some folks who are tech savvy might be underestimating the complexity of such arrangements.
  • The current system is prone to causing an account lockout.
  • There are concerns of a slippery slope effect towards progressively less reasonable security measures.
  • Only pertaining to sysop: Many people are not entirely convinced that the few instances of sysop accounts being taken over are worth these problems even if there were a solution for them.
Anomie added a subscriber: Anomie.Dec 7 2018, 5:17 PM
  • Not everybody has two devices available or is willing/able to pay for them.

2FA doesn't require two devices. A program to generate TOTP codes can likely be run on any device capable of running a web browser or the mobile apps. If necessary, there are even online password managers like https://keeweb.info/ that support TOTP. I further note that the software behind https://keeweb.info/ is open source, so you could run a mirror if you don't trust the site itself.

Of course, using one device or using a website does bring some reduction in security. It'll still be effective against the password reuse problem that seems to have been a major factor in the recent incident, at least until someone breaks into keeweb 🤷

  • 2FA is not necessarily legal everywhere in the world.

The one comment on that enwiki discussion asserting this states "people who live in countries where it is not legal to own certain types of technology (or could result in significant state surveillance if owned)". It's not even clear whether that's referring to 2FA itself being illegal or just certain kinds of smartphones, or whether it is actually known to be illegal anywhere.

  • Not everybody can/will download an authenticator software in lieu of two devices, e.g when they are on devices they don't own.

As noted above, there are websites that can do TOTP if you can't install an authenticator app.

Although I suppose some people might be opposed to doing that too. At some point there might need to be a cutoff for "don't want to".

  • Technically complex. In my personal opinion, some folks who are tech savvy might be underestimating the complexity of such arrangements.

True, at least to some extent. Although for the mainstream use case it's pretty simple: install app, scan QR code, then copy 6 digits out of the app whenever you need to log in.

  • The current system is prone to causing an account lockout.

Which is known and mitigating that is considered a blocker, see T150898#4802584.

  • There are concerns of a slippery slope effect towards progressively less reasonable security measures.

Slippery slope arguments are themselves sometimes slippery slopes. Let's evaluate 2FA on its own merits.

  • Only pertaining to sysop: Many people are not entirely convinced that the few instances of sysop accounts being taken over are worth these problems even if there were a solution for them.

On the other hand, many people are convinced. It's hard to get a feel for the sizes of these groups in the linked discussion because of people raising the other issues above instead. What we'd likely have to do there is address the blocking issues, prepare an RFC that clearly lays out options such as totp-me, desktop apps, and keeweb, and then somehow avoid pile-on from people who ignore that those other options exist.

Tgr added a comment.Dec 7 2018, 6:53 PM

Note there is a bit more discussion of requirements in the parent task (T166622).

IMO we might also want to rethink T150902: SMS based 2FA if we want 2FA to be deployed as widely as possible.

Meno25 added a subscriber: Meno25.Dec 9 2018, 3:55 AM

"As noted above, there are websites that can do TOTP if you can't install an authenticator app. Although I suppose some people might be opposed to doing that too. At some point there might need to be a cutoff for "don't want to"." Well yeah I'd expect that a lot of people don't want to trust a login that relies on a third party website/software, as they are often less than dependable & easy to use.