Page MenuHomePhabricator

Allow all users on all wikis to use OATHAuth
Open, MediumPublic

Description

I thought we had a task for this, but I can't seem to find one...

We eventually want to enable OATHAuth on all wikis, for all users, pending a few usability improvements

Related Objects

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Reedy renamed this task from Deploy Extension OATHAuth to all wikis to Allow all users on all wikis to use OATHAuth.May 30 2017, 9:25 PM

Duh. Subject changed to mean what I actually meant

jrbs moved this task from Backlog to Security/Abuse on the Trust-and-Safety board.
jrbs added a subscriber: Jalexander.
jrbs added a subscriber: jrbs.

Ideally, IMHO, being able to do a device swap without disabling and re-enabling should be in there too (not sure where the task is for that straight off)

@Tgr I think in the past we also said that some UI and interface messaging rework was needed to make the steps more understandable, esp around the topic of scratchcodes.

Trust-and-Safety might have some additional thoughts here, as they currently manage the operational work around OATHAuth. Though the tasks @Tgr mentioned (T166622#4802577) should alleviate most of their concerns, I'd imagine.

Ideally, IMHO, being able to do a device swap without disabling and re-enabling should be in there too (not sure where the task is for that straight off)

I guess that's T172079: Allow OATHAuth users with 2FA already enabled to add / switch devices without disabling? (that title is not super helpful)

@Tgr I think in the past we also said that some UI and interface messaging rework was needed to make the steps more understandable, esp around the topic of scratchcodes.

T150868: Expand recovery code instruction with advice to mark which codes you have used I guess?

Ideally, IMHO, being able to do a device swap without disabling and re-enabling should be in there too (not sure where the task is for that straight off)

I guess that's T172079: Allow OATHAuth users with 2FA already enabled to add / switch devices without disabling? (that title is not super helpful)

I think so, title improved a little bit

@Tgr and @Reedy, yep, this task is directly related to the #10 of Community-Wishlist-Survey-2019: 2FA available for all concerned editors

Actually implementing that task is easy (removing 10-15 lines from wmf-config)... It's the tasks mentioned above that need fixing first before we will do that

This is not really blocked on forcing on anyone 2FA, so rearranged the dependency tree a bit.

Hi, Please keeping (or try to keep) "Two-factor authentication testers" group for historical use . Thanks

Hi, Please keeping (or try to keep) "Two-factor authentication testers" group for historical use . Thanks

Why?

Hi, Please keeping (or try to keep) "Two-factor authentication testers" group for historical use . Thanks

Why?

Because we are actually "Beta tester" for a long time and i would like to keep a memory in my SUL :) (i'm not a Beta tester anymore since i'm mediawiki admin)

It's really a pain to enable 2FA on an account, because of a chicken-and-egg problem: The only users with oathauth-enable rights (allowing them to turn on 2FA) are those with elevated privileges—but you shouldn't have those privileges until 2FA is enabled!

It's really a pain to enable 2FA on an account, because of a chicken-and-egg problem: The only users with oathauth-enable rights (allowing them to turn on 2FA) are those with elevated privileges—but you shouldn't have those privileges until 2FA is enabled!

There’s an oathauth-testers group for anyone that wants 2FA but isn’t in a priv group

The issues why we haven’t rolled it out widely are still the same

There’s an oathauth-testers group for anyone that wants 2FA but isn’t in a priv group

Thanks, I'll paste a pointer here in case others find themselves in the same situation:
https://meta.wikimedia.org/wiki/Steward_requests/Global_permissions#Requests_for_2_Factor_Auth_tester_permissions