Page MenuHomePhabricator
Create Task
Maniphest T166622

Allow all users on all wikis to use OATHAuth
Closed, ResolvedPublic
Actions

Description

I thought we had a task for this, but I can't seem to find one...

We eventually want to enable OATHAuth on all wikis, for all users, pending a few usability improvements

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Lars.Dormans added a comment.Mar 11 2018, 8:03 PM
This comment was removed by Lars.Dormans.
Wong128hk awarded a token.Mar 12 2018, 1:22 AM
Wong128hk subscribed.
jrbs added a project: Trust-and-Safety.May 9 2018, 1:31 AM
jrbs moved this task from Backlog to Security/Abuse on the Trust-and-Safety board.
jrbs added a subscriber: Jalexander.
jrbs subscribed.
Tgr merged a task: T150577: Enable OATHAuth for all users.Jul 24 2018, 8:55 AM
Tgr added subscribers: Lucas_Werkmeister_WMDE, MisterSynergy, BethNaught and 8 others.
Tgr mentioned this in T200052: Mandate that account passwords must be a minimum of eight characters on Wikimedia projects.Jul 24 2018, 8:59 AM
AfroThundr3007730 subscribed.Aug 20 2018, 10:25 PM
Bawolff edited projects, added Security-team-backlog; removed Security-Team.Sep 4 2018, 4:32 PM
sbassett subscribed.Oct 29 2018, 6:15 PM
Tgr mentioned this in T197160: All security-sensitive MediaWiki functionality should require elevated security.Dec 6 2018, 8:19 AM
Tgr subscribed.Dec 6 2018, 8:22 AM

I guess the blockers for this (beyond what's already captured in the task graph) are T180896: Allow functionaries to reset second factor on low-risk accounts and T150601: Add option to generate new set of recovery codes / T131788: Users should be notified when only two recovery codes are left? Is anything else considered necessary?

Reedy added a comment.Dec 6 2018, 8:34 AM

Ideally, IMHO, being able to do a device swap without disabling and re-enabling should be in there too (not sure where the task is for that straight off)

Liuxinyu970226 added a comment.Dec 6 2018, 12:04 PM

@Tgr and @Reedy, yep, this task is directly related to the #10 of Community-Wishlist-Survey-2019: 2FA available for all concerned editors

TheDJ added a comment.Dec 6 2018, 12:49 PM

@Tgr I think in the past we also said that some UI and interface messaging rework was needed to make the steps more understandable, esp around the topic of scratchcodes.

sbassett added a comment.EditedDec 6 2018, 4:01 PM

Trust-and-Safety might have some additional thoughts here, as they currently manage the operational work around OATHAuth. Though the tasks @Tgr mentioned (T166622#4802577) should alleviate most of their concerns, I'd imagine.

Tgr added a comment.Dec 7 2018, 1:48 AM
In T166622#4802614, @Reedy wrote:

Ideally, IMHO, being able to do a device swap without disabling and re-enabling should be in there too (not sure where the task is for that straight off)

I guess that's T172079: Allow OATHAuth users with 2FA already enabled to add / switch devices without disabling? (that title is not super helpful)

In T166622#4803311, @TheDJ wrote:

@Tgr I think in the past we also said that some UI and interface messaging rework was needed to make the steps more understandable, esp around the topic of scratchcodes.

T150868: Expand recovery code instruction with advice to mark which codes you have used I guess?

Reedy added a comment.Dec 7 2018, 6:27 AM
In T166622#4805023, @Tgr wrote:
In T166622#4802614, @Reedy wrote:

Ideally, IMHO, being able to do a device swap without disabling and re-enabling should be in there too (not sure where the task is for that straight off)

I guess that's T172079: Allow OATHAuth users with 2FA already enabled to add / switch devices without disabling? (that title is not super helpful)

I think so, title improved a little bit

Reedy added a comment.Dec 7 2018, 6:38 AM
In T166622#4803222, @Liuxinyu970226 wrote:

@Tgr and @Reedy, yep, this task is directly related to the #10 of Community-Wishlist-Survey-2019: 2FA available for all concerned editors

Actually implementing that task is easy (removing 10-15 lines from wmf-config)... It's the tasks mentioned above that need fixing first before we will do that

Tgr mentioned this in T150898: Force OATHAuth (2FA) for certain user groups in Wikimedia production and Beta wikis.Dec 7 2018, 6:53 PM
Tgr edited subtasks, added: T150601: Add option to generate new set of recovery codes, T131788: Users should be notified when only two recovery codes are left, T172079: Allow OATHAuth users with 2FA already enabled to add / switch devices without disabling, T150868: Expand recovery code instruction with advice to mark which codes you have used; removed: T150898: Force OATHAuth (2FA) for certain user groups in Wikimedia production and Beta wikis.Dec 10 2018, 7:07 AM
Tgr added a subtask: T180896: Allow functionaries to reset second factor on low-risk accounts.
Tgr added a comment.Dec 10 2018, 7:11 AM

This is not really blocked on forcing on anyone 2FA, so rearranged the dependency tree a bit.

Tomybrz subscribed.Dec 27 2018, 3:36 PM

Hi, Please keeping (or try to keep) "Two-factor authentication testers" group for historical use . Thanks

Reedy added a comment.Dec 27 2018, 3:38 PM
In T166622#4844659, @Tomybrz wrote:

Hi, Please keeping (or try to keep) "Two-factor authentication testers" group for historical use . Thanks

Why?

Tomybrz added a comment.EditedDec 28 2018, 11:34 PM
In T166622#4844661, @Reedy wrote:
In T166622#4844659, @Tomybrz wrote:

Hi, Please keeping (or try to keep) "Two-factor authentication testers" group for historical use . Thanks

Why?

Because we are actually "Beta tester" for a long time and i would like to keep a memory in my SUL :) (i'm not a Beta tester anymore since i'm mediawiki admin)

Urbanecm merged a task: T214376: Add "oathauth-enable" to all user group rights by default on all Wikimedia wiki projects.Jan 22 2019, 1:04 PM
Urbanecm added subscribers: Tulsi_Bhagat, Dereckson, Jayprakash12345 and 4 others.
taavi subscribed.Mar 16 2019, 6:43 PM
RhinosF1 subscribed.Apr 3 2019, 10:10 PM
Lofhi subscribed.Apr 12 2019, 12:06 PM
Meisam subscribed.May 6 2019, 11:49 AM
Yyn1312 moved this task from Security/Abuse to Backlog on the Trust-and-Safety board.May 15 2019, 7:35 AM
Aklapper moved this task from Backlog to Security/Abuse on the Trust-and-Safety board.May 16 2019, 11:56 AM
94rain subscribed.Jun 11 2019, 4:34 AM
Rail subscribed.Aug 7 2019, 8:01 AM
chasemp edited projects, added Security-Team; removed Security-team-backlog.Dec 23 2019, 5:12 PM
chasemp moved this task from Incoming to Back Orders on the Security-Team board.
chasemp added a project: Security.Feb 10 2020, 10:58 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:07 PM
awight awarded a token.Jun 25 2020, 10:55 AM
awight subscribed.
awight added a comment.Jun 25 2020, 11:00 AM

It's really a pain to enable 2FA on an account, because of a chicken-and-egg problem: The only users with oathauth-enable rights (allowing them to turn on 2FA) are those with elevated privileges—but you shouldn't have those privileges until 2FA is enabled!

Reedy added a comment.Jun 25 2020, 11:31 AM
In T166622#6256084, @awight wrote:

It's really a pain to enable 2FA on an account, because of a chicken-and-egg problem: The only users with oathauth-enable rights (allowing them to turn on 2FA) are those with elevated privileges—but you shouldn't have those privileges until 2FA is enabled!

There’s an oathauth-testers group for anyone that wants 2FA but isn’t in a priv group

The issues why we haven’t rolled it out widely are still the same

awight added a comment.Jun 25 2020, 2:36 PM
In T166622#6256156, @Reedy wrote:

There’s an oathauth-testers group for anyone that wants 2FA but isn’t in a priv group

Thanks, I'll paste a pointer here in case others find themselves in the same situation:
https://meta.wikimedia.org/wiki/Steward_requests/Global_permissions#Requests_for_2_Factor_Auth_tester_permissions

Evrifaessa subscribed.Jul 26 2020, 4:05 PM
alaa subscribed.Sep 30 2020, 12:05 PM
Base subscribed.Sep 30 2020, 12:13 PM
Meirae subscribed.Sep 30 2020, 2:52 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:02 PM
Smarti subscribed.Nov 16 2020, 11:11 PM
Reedy added a project: Goal.Feb 1 2021, 9:29 PM
Reedy mentioned this in T180896: Allow functionaries to reset second factor on low-risk accounts.
SpartacksCompatriot subscribed.May 16 2021, 3:14 PM
Zabe subscribed.Oct 31 2021, 1:16 AM
Stang subscribed.Mar 3 2022, 5:48 AM
IAmChaos subscribed.Jul 9 2022, 4:25 AM
TheresNoTime changed the status of subtask T180896: Allow functionaries to reset second factor on low-risk accounts from Stalled to Open.Sep 26 2022, 6:11 PM
PolyversialMind subscribed.Oct 6 2022, 8:41 PM
Ahm_masum subscribed.Jan 30 2023, 6:52 PM
Reedy moved this task from Backlog to External on the MediaWiki-extensions-OATHAuth board.Nov 30 2023, 5:58 PM
MaterialWorks subscribed.Dec 30 2023, 2:53 PM
Reedy closed subtask T150868: Expand recovery code instruction with advice to mark which codes you have used as Resolved.Jan 11 2024, 3:08 PM
Novem_Linguae subscribed.Apr 25 2024, 9:05 AM
Dalba awarded a token.Aug 29 2024, 3:53 AM
valerio.bozzolan subscribed.Oct 6 2024, 4:38 PM
Pppery moved this task from Analysis / under discussion to Blocked on development on the Wikimedia-Site-requests board.Oct 20 2024, 2:28 AM
Reedy closed subtask T131788: Users should be notified when only two recovery codes are left as Resolved.Nov 2 2024, 1:29 PM
A_smart_kitten subscribed.Nov 14 2024, 3:01 PM
Kristbaum awarded a token.Mar 20 2025, 4:05 PM
Kristbaum subscribed.
Johannnes89 subscribed.Jun 26 2025, 8:50 PM
Tgr added a project: FY2025-26 WE4.6.3 Global 2FA Opt-In.Aug 1 2025, 9:22 AM
Tgr removed a project: FY2025-26 WE4.6.3 Global 2FA Opt-In.
Tgr mentioned this in T399664: Expand 2FA Opt-In Privileges.Aug 1 2025, 9:25 AM
OKryva-WMF edited projects, added Product Safety and Integrity; removed Trust-and-Safety.Sep 26 2025, 2:07 PM
OKryva-WMF moved this task from Inbox to Triaged (backlog) on the Product Safety and Integrity board.Sep 26 2025, 2:08 PM
OKryva-WMF edited projects, added Trust-and-Safety; removed Product Safety and Integrity.Sep 26 2025, 3:05 PM
sbassett closed subtask T150601: Add option to generate new set of recovery codes as Resolved.Oct 3 2025, 8:50 PM
Reedy added a subtask: T399664: Expand 2FA Opt-In Privileges.Oct 29 2025, 12:33 PM
TBurmeister subscribed.Nov 24 2025, 6:49 PM
Bugreporter subscribed.Dec 4 2025, 6:31 AM

Note this task concerns non-WMF wikis so should be resolved once it become the default of OATHAuth extension.

Reedy added a comment.Dec 4 2025, 9:53 AM
In T166622#11431576, @Bugreporter wrote:

Note this task concerns non-WMF wikis so should be resolved once it become the default of OATHAuth extension

No it doesn’t? This is specifically for WMF wikis,

The default in the extension has always been to allow all user accounts.

Reedy closed this task as Resolved.Dec 4 2025, 9:57 AM
Mstyles closed subtask T399664: Expand 2FA Opt-In Privileges as Resolved.Dec 4 2025, 9:27 PM
Mstyles closed subtask T180896: Allow functionaries to reset second factor on low-risk accounts as Resolved.
Bugreporter reopened subtask T180896: Allow functionaries to reset second factor on low-risk accounts as Open.Dec 5 2025, 2:56 AM
A_smart_kitten removed a subtask: T180896: Allow functionaries to reset second factor on low-risk accounts.Dec 7 2025, 4:28 PM
Stang unsubscribed.Dec 10 2025, 9:33 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits