In T161473#3140735, @Andrew wrote:

Wikitech has always required 2fa for any actions that affect VMs.

I don't know what this means. I've never needed two-factor authentication on wikitech.wikimedia.org. I can log in there just fine.

And, having 2fa here is important. I don't want to tell someone that all of their instances were deleted because another member of their project chose a dumb password.

That sounds like a reason to make backups.

That said, I welcome suggestions for how to simplify the 2fa setup process. It's not great.

This task doesn't seem resolved to me. I can't log in at https://horizon.wikimedia.org/auth/login/?next=/ because of some token I don't have. What am I supposed to do?

I went to https://wikitech.wikimedia.org/w/index.php?title=Special:Two-factor_authentication&returnto=Special%3APreferences and was told:

Download a program for two-factor authentication. That can be a mobile application (such as Google Authenticator) or a desktop application

I don't have such a program. This doesn't provide any links or help to download whatever program I allegedly need. Am I supposed to go download some program to my computer in order to log in? How is that acceptable? How is that making the login process more secure?

I don't know what this means. I've never needed two-factor authentication on wikitech.wikimedia.org. I can log in there just fine.

You are right! It's always been required for me but I just looked at the code and the rule wrapped by this:

if ( $this->getUser()->isAllowed( 'userrights' ) ) {

So, 2fa is required for certain admins but nor for projectadmins like you.

So, we will revisit this. I'm still pretty sure that requiring 2fa (and improving the docs) is the right solution, but I'll stop presenting this as a settled issue :)

I don't want to scan a QR code or treat this account like it's something important.

Having administration rights for a project on our OpenStack cluster actually is something important. It grants the permissions needed to make destructive changes to the virtual machines in the project. It also grants the permissions needed to create new VMs up to the account quota limit which functionally spends donor funds in the form of resource consumption.

The real question is if this importance rises to the level of requiring strong authentication measures to prevent a class of hostile account takeover attacks. In discussions of requiring 2FA on wikis, the arguments for enabling tend to hinge on the amount of damage that could be done if a hostile user took over an account. On-wiki rights like those granted to checkuser, oversite, and steward group members are typically the target of discussions for increased account security. These groups are granted rights which allow either access to highly sensitive data or the ability to make fairly disruptive changes to the wiki contents. I personally think there is an argument to be made that OpenStack project management also allows a variety of potentially damaging actions. I also personally feel that the burden on the end user to use 2FA is minimal. This opinion may be biased however because I use 2FA protection on both my staff and personal Wikimedia account as well as for something like 15 other non-Wikimedia accounts. To me a time based 2FA token is just a standard best practice for securing any account which provides the capability.

Universally requiring 2FA protection for Horizon was a recommendation made by @csteipp during the initial deployment of the application. It would be nice to have input from the current Security-Team on their perceived value of continuing this policy.

Thank you both for reconsidering this.

In T161473#3202497, @bd808 wrote:

I also personally feel that the burden on the end user to use 2FA is minimal. This opinion may be biased however because I use 2FA protection on both my staff and personal Wikimedia account as well as for something like 15 other non-Wikimedia accounts. To me a time based 2FA token is just a standard best practice for securing any account which provides the capability.

I strongly think requiring two-factor authentication is a barrier to entry.

In my case, if I don't want to use a cell phone to scan a QR code, what are my alternatives? Should I download some kind of desktop application to scan the QR code? Is there a free one? Can I get a hard token?

In T161473#3203747, @MZMcBride wrote

I strongly think requiring two-factor authentication is a barrier to entry.

I agree that 2FA is a barrier to entry. The area that it is acting as a barrier to however is project administration, not membership in projects. Running a project already requires non-trivial technical skills to maintain secure and performant VMs.

In my case, if I don't want to use a cell phone to scan a QR code, what are my alternatives? Should I download some kind of desktop application to scan the QR code? Is there a free one?

There are some details on 2FA generally and possible clients on various wikis:

• https://wikitech.wikimedia.org/wiki/Help:Two-factor_authentication
• https://meta.wikimedia.org/wiki/Help:Two-factor_authentication
• https://www.mediawiki.org/wiki/Help:Two-factor_authentication
• https://en.wikipedia.org/wiki/Google_Authenticator#Implementations

For testing 2FA with disposable accounts I use https://tools-static.wmflabs.org/bd808-test/gauth/ which is a deployment of https://github.com/gbraad/gauth/.

Can I get a hard token?

I am not aware of a hardware token that would be compatible with MediaWiki's OATHAuth extension.

I dislike the 2FA requirement I do things from many different devices and I dont have access all the time to internet on my phone, so if i need to login to horizon I'm unable to (and i've of yet been able to find a decent 2fa client that works well with cross-os such as chromeos and windows)

We have always required some level of administrators to use 2fa, and have defaulted to it in the Phabricator admin case and a few others. I'm not sure if @csteipp will have time to weigh in but my recollection of the sentiment is this: these are privileged level accounts and there is no undo or revert for the actions of project administrators. These types of accounts should require 2fa by default and be reasoned backwards as the exception.

In T161473#3204596, @Zppix wrote:

I dislike the 2FA requirement I do things from many different devices and I dont have access all the time to internet on my phone,

This sounds like a misunderstanding of how the Authenticator app works. The second key is stored locally on your phone; no internet access is needed to call up an access token.

Related: T189531: All Wikimedia developer services should use single sign-on

Suggest decline per @chasemp, horizon by nature allows unrevertable actions and should definitely require 2FA for the majority of use cases. I would accept a lack of it at login if upstream moved to allow requiring 2FA only for sensitive actions but frankly most things one could do there are pretty powerful.