Page MenuHomePhabricator

Lost 2FA details, request recovery.
Closed, ResolvedPublic

Description

Hello, I am Alexsh from zhwiki. I request to disable my account 2FA because I wiped my phone and secret code is lost.

Identity checks

  1. Alexsh doesn't have a LDAP account, and uses their MediaWiki account to connect to Phabricator. It can successfully connect here (through MediaWiki so)
  2. A mail has been sent by @Dereckson to the address linked to the pre-SUL zhwiki local account per https://wikitech.wikimedia.org/wiki/Password_reset/Confirming_identities recommandation. A reply confirming the request came 4 May 2017 00:51 UTC

Event Timeline

Alexsh created this task.May 2 2017, 1:23 PM
Restricted Application added subscribers: Cosine02, Aklapper. · View Herald TranscriptMay 2 2017, 1:23 PM
Aklapper added a subscriber: Zppix.

@Zppix: This has nothing to do with Operations nor Wikimedia-Site-requests. Please do not add these projects.

@Alexsh: Is this about 2FA on zhwiki? Or in some other place?

@Alexsh: Is this about 2FA on zhwiki? Or in some other place?

2FA is global.

@Zppix: This has nothing to do with Operations nor Wikimedia-Site-requests. Please do not add these projects.

You are not right. This can be done as a site request.

Dereckson added subscribers: Reedy, Dereckson.

We don't currently have a policy, @Reedy seems to currently be willing to do it outside a policy, but at some point, we'll need a policy to avoid social engineering.

2FA is global.

I'm pretty sure that 2FA for Phabricator is separate from global on-wiki things...

Yes, we've three places where two factors are configurable:

  • Phabricator — https://phabricator.wikimedia.org/settings/ (regardless LDAP account or MediaWiki account is used as first factor)
  • Wikitech — on wikitech.wikipedia.org (for LDAP account so)
  • MediaWiki — linked to the SUL MediaWiki account

For LDAP login, the procedure is fully covered by https://wikitech.wikimedia.org/wiki/Password_reset#Reset_two_factor_authentication.

For MediaWiki, we don't have any procedure in place, but @Alexsh is welcome to suggest how they can prove the request is legitimate.

@Aklapper Phabiractor is a place where to request disabling 2FA for wikis :). As he mentioned certain wiki I guess it is about WMF wiki.

@Dereckson The phabricator account is connected to the MediaWiki SUL one. Would you accept this as a prove?

The phabricator account is connected to the MediaWiki SUL one.

No it is not always (it can also be connected to LDAP/wikitech/Gerrit instead) and Phab's 2FA is separate. Hence I asked for clarification. Anyway... sorry for confusion! :)

The phabricator account is connected to the MediaWiki SUL one.

No it is not always (it can also be connected to LDAP/wikitech/Gerrit instead) and Phab's 2FA is separate. Hence I asked for clarification. Anyway... sorry for confusion! :)

In another words, the Phab account we are talking about (where the request came from) is connected to the mw one which is required to be recovered. This connection can be accepted as a prove this is a legitimate request.

@Bawolff any thought about this?

Reedy added a comment.May 3 2017, 2:17 PM

We don't currently have a policy, @Reedy seems to currently be willing to do it outside a policy, but as some point, we'll need a policy to avoid social engineering.

Usually when I have a way of verifying people are who they say they are. Through knowing them personally, and contacting them other ways, or by having a third party in common who can verify them for me.

The technical part is easy. The social not quite so much

Usually, when people have a phab account tied to their end wiki account, I see this enough to action the request, if it's made through the account on phab

Okay, I'm going to confirm by e-mail with the requester if a mail account has been submitted, and proceed if we've this double Phabricator + mail confirmation.

Dereckson updated the task description. (Show Details)May 3 2017, 2:23 PM
Dereckson updated the task description. (Show Details)May 4 2017, 5:48 AM

I received a confirmation by mail, so it's okay for me.

Dereckson updated the task description. (Show Details)May 4 2017, 6:05 AM
Dereckson updated the task description. (Show Details)

Mentioned in SAL (#wikimedia-operations) [2017-05-04T06:09:30Z] <Dereckson> CentralAuth: Removed MediaWiki 2FA for Alexsh (T164265)

@Alexsh You should now be able to log in using just your password and re-add two factor authentication, this time saving the recovery keys on paper in a secure location perhaps.

Alexsh added a comment.May 4 2017, 8:17 AM

Confirmed. Thank you very much, and I'll close this task.

Alexsh closed this task as Resolved.May 4 2017, 8:18 AM

You're welcome. Thanks for your patience.

I always CC @Jalexander and @jrbs on this kind of requests, and also add Trust-and-Safety, and treat these as private security issues.

Dereckson claimed this task.May 4 2017, 3:47 PM
Dereckson removed a subscriber: Dereckson.