Page MenuHomePhabricator

Stop requiring two-factor authentication for horizon.wikimedia.org
Closed, DeclinedPublic

Description

I can't log in to https://horizon.wikimedia.org/auth/login/?next=/. It's demanding a two-factor authentication code and I don't have one. I went to https://wikitech.wikimedia.org/wiki/Special:Preferences (no link provided, I typed it in myself) and got to https://wikitech.wikimedia.org/w/index.php?title=Special:Two-factor_authentication&returnto=Special%3APreferences and then I'm like "yeah, why do I need to go through all this trouble again?"

I don't want to scan a QR code or treat this account like it's something important. Just let me log in please. This is how wikitech.wikimedia.org works.

Event Timeline

Restricted Application added a project: Cloud-Services. · View Herald TranscriptMar 27 2017, 1:10 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Andrew closed this task as Declined.Mar 29 2017, 4:03 PM
Andrew added a subscriber: Andrew.

Wikitech has always required 2fa for any actions that affect VMs. Since that's all that Horizon does, requiring 2fa for all of Horizon maintains the existing policy. Viewing the current status of VMs is 100% public (not requiring a login anywhere) and we're working on a public display of puppet instance config as well.

And, having 2fa here is important. I don't want to tell someone that all of their instances were deleted because another member of their project chose a dumb password.

That said, I welcome suggestions for how to simplify the 2fa setup process. It's not great.

MZMcBride reopened this task as Open.Apr 17 2017, 2:10 AM

Wikitech has always required 2fa for any actions that affect VMs.

I don't know what this means. I've never needed two-factor authentication on wikitech.wikimedia.org. I can log in there just fine.

And, having 2fa here is important. I don't want to tell someone that all of their instances were deleted because another member of their project chose a dumb password.

That sounds like a reason to make backups.

That said, I welcome suggestions for how to simplify the 2fa setup process. It's not great.

This task doesn't seem resolved to me. I can't log in at https://horizon.wikimedia.org/auth/login/?next=/ because of some token I don't have. What am I supposed to do?

I went to https://wikitech.wikimedia.org/w/index.php?title=Special:Two-factor_authentication&returnto=Special%3APreferences and was told:

Download a program for two-factor authentication. That can be a mobile application (such as Google Authenticator) or a desktop application

I don't have such a program. This doesn't provide any links or help to download whatever program I allegedly need. Am I supposed to go download some program to my computer in order to log in? How is that acceptable? How is that making the login process more secure?

I don't know what this means. I've never needed two-factor authentication on wikitech.wikimedia.org. I can log in there just fine.

You are right! It's always been required for me but I just looked at the code and the rule wrapped by this:

if ( $this->getUser()->isAllowed( 'userrights' ) ) {

So, 2fa is required for certain admins but nor for projectadmins like you.

So, we will revisit this. I'm still pretty sure that requiring 2fa (and improving the docs) is the right solution, but I'll stop presenting this as a settled issue :)

bd808 added a subscriber: bd808.Apr 21 2017, 8:25 PM

I don't want to scan a QR code or treat this account like it's something important.

Having administration rights for a project on our OpenStack cluster actually is something important. It grants the permissions needed to make destructive changes to the virtual machines in the project. It also grants the permissions needed to create new VMs up to the account quota limit which functionally spends donor funds in the form of resource consumption.

The real question is if this importance rises to the level of requiring strong authentication measures to prevent a class of hostile account takeover attacks. In discussions of requiring 2FA on wikis, the arguments for enabling tend to hinge on the amount of damage that could be done if a hostile user took over an account. On-wiki rights like those granted to checkuser, oversite, and steward group members are typically the target of discussions for increased account security. These groups are granted rights which allow either access to highly sensitive data or the ability to make fairly disruptive changes to the wiki contents. I personally think there is an argument to be made that OpenStack project management also allows a variety of potentially damaging actions. I also personally feel that the burden on the end user to use 2FA is minimal. This opinion may be biased however because I use 2FA protection on both my staff and personal Wikimedia account as well as for something like 15 other non-Wikimedia accounts. To me a time based 2FA token is just a standard best practice for securing any account which provides the capability.

bd808 triaged this task as Medium priority.Apr 21 2017, 8:26 PM

Universally requiring 2FA protection for Horizon was a recommendation made by @csteipp during the initial deployment of the application. It would be nice to have input from the current Security-Team on their perceived value of continuing this policy.

Thank you both for reconsidering this.

I also personally feel that the burden on the end user to use 2FA is minimal. This opinion may be biased however because I use 2FA protection on both my staff and personal Wikimedia account as well as for something like 15 other non-Wikimedia accounts. To me a time based 2FA token is just a standard best practice for securing any account which provides the capability.

I strongly think requiring two-factor authentication is a barrier to entry.

In my case, if I don't want to use a cell phone to scan a QR code, what are my alternatives? Should I download some kind of desktop application to scan the QR code? Is there a free one? Can I get a hard token?

bd808 added a comment.Apr 23 2017, 7:30 PM

I strongly think requiring two-factor authentication is a barrier to entry.

I agree that 2FA is a barrier to entry. The area that it is acting as a barrier to however is project administration, not membership in projects. Running a project already requires non-trivial technical skills to maintain secure and performant VMs.

In my case, if I don't want to use a cell phone to scan a QR code, what are my alternatives? Should I download some kind of desktop application to scan the QR code? Is there a free one?

There are some details on 2FA generally and possible clients on various wikis:

For testing 2FA with disposable accounts I use https://tools-static.wmflabs.org/bd808-test/gauth/ which is a deployment of https://github.com/gbraad/gauth/.

Can I get a hard token?

I am not aware of a hardware token that would be compatible with MediaWiki's OATHAuth extension.

Zppix added a subscriber: Zppix.Apr 23 2017, 8:14 PM

I dislike the 2FA requirement I do things from many different devices and I dont have access all the time to internet on my phone, so if i need to login to horizon I'm unable to (and i've of yet been able to find a decent 2fa client that works well with cross-os such as chromeos and windows)

We have always required some level of administrators to use 2fa, and have defaulted to it in the Phabricator admin case and a few others. I'm not sure if @csteipp will have time to weigh in but my recollection of the sentiment is this: these are privileged level accounts and there is no undo or revert for the actions of project administrators. These types of accounts should require 2fa by default and be reasoned backwards as the exception.

I dislike the 2FA requirement I do things from many different devices and I dont have access all the time to internet on my phone,

This sounds like a misunderstanding of how the Authenticator app works. The second key is stored locally on your phone; no internet access is needed to call up an access token.

Krenair added a subscriber: Krenair.Dec 9 2018, 9:58 PM

Suggest decline per @chasemp, horizon by nature allows unrevertable actions and should definitely require 2FA for the majority of use cases. I would accept a lack of it at login if upstream moved to allow requiring 2FA only for sensitive actions but frankly most things one could do there are pretty powerful.

GTirloni closed this task as Declined.Mar 21 2019, 8:39 PM
GTirloni edited projects, added cloud-services-team (Kanban); removed Cloud-Services.