Hi sec team, I've been advised to get this cleared by yourselves before proceeding any further - I'd like to add a line to an upcoming Administrator Newsletter on the English Wikipedia saying something along the lines of only x% of you have enabled 2FA - please consider enabling it now
Some people have expressed concerns that publicly releasing this percentage could be seen as an attack vector - what do you think?
Personally I think its a reasonable risk relative to the benefits of comvincing more admins to enable 2fa. (However please hive a chance for other security team members to comment before doing it)
Dont release the status of which admins have it enabled.
@Bawolff will do, I can't personally run the query so I'll ask whoever does just to read through this (providing the comments from other members of the team are positive) and only return a percentage
Ugh. How would we even query this? Either it's a query across multiple dbservers to get to the centralauth db...
Or we do it on user preferences? Else writing a maintenance script
I think it's reasonable to do; it doesn't show any personally identifiable data
@Jalexander Any comments from your end about "releasing"/publicising this information if we get it? :)
As long as there is no way to figure out 'who' doesn't have it I think its a reasonable risk. That would mostly mean percentage only and large wikis only (if others ask) because the smaller the wiki is the more of a problem that becomes.
This is a duplicate of T150589: Write a script to gather statistics on 2FA usage among functionaries (we should probably make that public now).
@Legoktm helpful! :-D either way, good to know it's been discussed/looked at elsewhere as well!
Thank you all for your comments. Am I right in summarising this discussion as it's okay to do providing the public result is a plain "x% of admins haven't enabled 2FA"?
Personally I'm only interested in (and thus will only be requesting) the English Wikipedia
How about this plan. I can run a query for English Wikipedia and if it proves useful we can talk about looking at the other wikis and doing the analysis over time, as we see fit and the data indicates.
Ok, results. 203 out of 1274 admins on english wikipedia have enabled two-factor auth. Let's make sure I did the numbers right. I assumed the following:
If that's true, then the following query will join all the right tables together and count who enabled two-factor. You can run just the inner query to spot check and make sure this makes sense, if you have rights to query the slaves. I did that and it seemed to make sense to me, like most WMF employees had it turned on.
select count(*) as sysops,
sum(has_two_factor) as enabled_two_factor
from (select user_name,
if(id is null, 0, 1) as has_two_factor
from enwiki.user
inner join
enwiki.user_groups on ug_group = 'sysop'
and ug_user = user_id
inner join
centralauth.globaluser on user_name = gu_name
left join
centralauth.oathauth_users on gu_id = id
) two_factor_status_of_all_sysops
;
+-------+--------------------+
| sysop | enabled_two_factor |
+-------+--------------------+
| 1274 | 203 |
+-------+--------------------+It's been a couple of years since the query was ran in this task, might be nice to know what the latest figures are.
A few less sysops, a few more with 2FA (note: my query from above is now harder to run on the analytics replicas because the dbs are sharded):
+--------+--------------------+ | sysops | enabled_two_factor | +--------+--------------------+ | 1180 | 275 | +--------+--------------------+