Page MenuHomePhabricator
Create Task
Maniphest T150903

Alert sre/security on many 2FA failures
Open, MediumPublic
Actions

Description

Two-factor authentication codes are short and shown as the user types them in so failures should be rare. A dedicated attacker can brute-force them given enough time (the current throttling is 10 per minute, and there are 10^6 possibilities, 3 of which are acceptable, so for a single account there is about 1% chance of success for every 5 hours spent attacking; practically guaranteed success in a month or so). We should have aggressive security alerts (icinga etc) for frequent 2FA failures.

That would require either dedicated logging or improving AuthManagerLoginAuthenticateAudit (which currently only learns the outcome of the login attempt, not the step at which it failed - cf T137194: AuthManager cannot audit passwords) or adding a similar audit hook to OATHAuth.

See also T158379: Warn the user after a certain number of failed 2FA attempts about alerting the account owner.

Related incident: https://wikitech.wikimedia.org/wiki/Incident_documentation/20161112-OurMine

Related Objects

Event Timeline

Tgr created this task.Nov 16 2016, 10:39 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 16 2016, 10:39 PM
Tgr mentioned this in T150300: icinga notification if elevated writing to badpass.log.Nov 16 2016, 10:39 PM
Tgr added a comment.Nov 17 2016, 5:15 AM

Also, we don't currently log abandoned logins (ie. a multistep form where a later step is never submitted and the session times out), but a successful password check followed by a 2FA screen that never gets submitted should ring alarm bells.

Tgr mentioned this in T151010: Add logging to OATHAuth.Nov 18 2016, 12:50 AM
Reedy subscribed.Nov 18 2016, 12:53 AM

Is this alerts to a user of their failures, or more generally for WMF deployment? Or both?

Tgr added a comment.Nov 18 2016, 3:51 AM

I was thinking of icinga-type alerts. But adding 2FA alerts to LoginNotify (T140167) would be nice too.

MarcoAurelio subscribed.Nov 19 2016, 1:41 PM
kaldari updated the task description. (Show Details)Apr 24 2017, 9:53 PM
Tgr renamed this task from Alert on many 2FA failures to Alert ops/security on many 2FA failures.Nov 18 2017, 9:47 PM
Tgr updated the task description. (Show Details)
Tgr updated the task description. (Show Details)
Tgr mentioned this in T158379: Warn the user after a certain number of failed 2FA attempts.
Tgr updated the task description. (Show Details)Nov 18 2017, 9:49 PM
MarcoAurelio awarded a token.Nov 18 2017, 10:01 PM
Framawiki subscribed.Nov 19 2017, 1:20 AM
Lars.Dormans subscribed.Mar 11 2018, 8:07 PM

A brute force attack on a 2FA enabled account is kinda impossible since the code changes every 30 second and you have 10.077.696 possible combinations i personally think the web server is able to handle that many request in 30 seconds

Tgr added a comment.Mar 12 2018, 12:36 AM

This is a common misconception, periodically changing the code does actually very little against bruteforce attacks. (It is there to protect against replay attacks.) The attacker would just keep trying numbers at random; the expected amount of attempts needed is approximately same.

chasemp subscribed.May 4 2018, 6:47 PM
RP88 subscribed.May 9 2018, 11:02 PM
Phabricator_maintenance added a project: acl*security.Sep 20 2018, 9:15 AM
chasemp added a project: User-chasemp.Dec 20 2018, 8:25 PM
Aklapper removed a project: Security-Core.Nov 27 2019, 12:42 PM
Aklapper removed projects: User-chasemp, acl*security, MediaWiki-extensions-OATHAuth.Nov 27 2019, 1:30 PM
Aklapper edited projects, added User-chasemp, acl*security, MediaWiki-extensions-OATHAuth; removed Security-Extensions.Dec 2 2019, 1:01 PM
chasemp triaged this task as Medium priority.Dec 9 2019, 5:20 PM
chasemp added a project: Security-Team.
chasemp moved this task from Incoming to Waiting on the Security-Team board.Dec 9 2019, 5:32 PM
chasemp added a project: Security.Feb 10 2020, 10:59 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:07 PM
taavi subscribed.Mar 17 2021, 6:54 AM
sbassett removed projects: Security-Team, User-chasemp.May 17 2021, 4:05 PM
Krinkle added a project: Sustainability (Incident Followup).Sep 28 2021, 9:27 PM
Krinkle updated the task description. (Show Details)
Legoktm subscribed.Mar 1 2022, 8:50 AM

The easy option here is to just increment a counter in statsd for each 2FA success and another for each 2FA failure. We already do the same for login (c.f. https://grafana.wikimedia.org/d/000000004/authentication-metrics?orgId=1) so I'd think there's no issue with making this data public?

Tgr mentioned this in T348206: Improve logging, monitoring and test coverage for MediaWiki Platform team authentication extensions.Oct 23 2023, 2:09 AM
Reedy moved this task from Backlog to External on the MediaWiki-extensions-OATHAuth board.Dec 6 2023, 12:56 PM
Reedy renamed this task from Alert ops/security on many 2FA failures to Alert sre/security on many 2FA failures.Mar 13 2024, 2:31 AM
Tgr mentioned this in T150898: Force OATHAuth (2FA) for certain user groups in Wikimedia production and Beta wikis.Apr 10 2025, 3:17 PM
Novem_Linguae subscribed.Apr 11 2025, 5:08 AM
Daimona subscribed.Apr 15 2025, 1:02 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits