Page MenuHomePhabricator
Create Task
Maniphest T166622

Allow all users on all wikis to use OATHAuth
Open, MediumPublic
Actions

Description

I thought we had a task for this, but I can't seem to find one...

We eventually want to enable OATHAuth on all wikis, for all users, pending a few usability improvements

Related Objects
Search...

Event Timeline

Reedy created this task.May 30 2017, 9:16 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 30 2017, 9:16 PM
Reedy triaged this task as Medium priority.May 30 2017, 9:16 PM
Reedy mentioned this in T100373: WebAuthn (U2F) integration for Extension:OATHAuth.
Reedy added a subtask: T150898: Force OATHAuth (2FA) for certain user groups in Wikimedia production.
Anomie added a subscriber: Anomie.May 30 2017, 9:22 PM

It already is deployed on all wikis.

Reedy renamed this task from Deploy Extension OATHAuth to all wikis to Allow all users on all wikis to use OATHAuth.May 30 2017, 9:25 PM
In T166622#3302241, @Anomie wrote:

It already is deployed on all wikis.

Duh. Subject changed to mean what I actually meant

TheDJ added a subscriber: TheDJ.May 30 2017, 9:45 PM
Luke081515 awarded a token.May 31 2017, 1:51 PM
Luke081515 added a subscriber: Luke081515.
TerraCodes added a subscriber: TerraCodes.Jun 7 2017, 6:44 AM
Daylen added a subscriber: Daylen.Jul 18 2017, 5:03 AM
MarcoAurelio moved this task from Backlog to Analysis / under discussion on the Wikimedia-Site-requests board.Aug 13 2017, 7:10 PM
Liuxinyu970226 added a subscriber: Liuxinyu970226.Nov 9 2017, 5:07 AM
Liuxinyu970226 awarded a token.Nov 15 2017, 1:44 PM
Sniper296 awarded a token.Jan 20 2018, 8:05 PM
Sniper296 added a subscriber: Sniper296.
Lars.Dormans added a subscriber: Lars.Dormans.Mar 11 2018, 8:03 PM
This comment was removed by Lars.Dormans.
Wong128hk awarded a token.Mar 12 2018, 1:22 AM
Wong128hk added a subscriber: Wong128hk.
jrbs added a project: Trust-and-Safety.May 9 2018, 1:31 AM
jrbs moved this task from Backlog to Security/Abuse on the Trust-and-Safety board.
jrbs added a subscriber: Jalexander.
jrbs added a subscriber: jrbs.
Tgr merged a task: T150577: Enable OATHAuth for all users.Jul 24 2018, 8:55 AM
Tgr added subscribers: Lucas_Werkmeister_WMDE, MisterSynergy, BethNaught and 8 others.
Tgr mentioned this in T200052: Mandate that account passwords must be a minimum of eight characters on Wikimedia projects.Jul 24 2018, 8:59 AM
AfroThundr3007730 added a subscriber: AfroThundr3007730.Aug 20 2018, 10:25 PM
Bawolff edited projects, added Security-team-backlog; removed Security-Team.Sep 4 2018, 4:32 PM
sbassett added a subscriber: sbassett.Oct 29 2018, 6:15 PM
Tgr mentioned this in T197160: All security-sensitive MediaWiki functionality should require elevated security.Dec 6 2018, 8:19 AM
Tgr added a subscriber: Tgr.Dec 6 2018, 8:22 AM

I guess the blockers for this (beyond what's already captured in the task graph) are T180896: Allow functionaries to reset second factor on low-risk accounts and T150601: Add option to generate new set of scratch codes / T131788: Users should be notified when only two scratch tokens are left? Is anything else considered necessary?

Reedy added a comment.Dec 6 2018, 8:34 AM

Ideally, IMHO, being able to do a device swap without disabling and re-enabling should be in there too (not sure where the task is for that straight off)

Liuxinyu970226 added a comment.Dec 6 2018, 12:04 PM

@Tgr and @Reedy, yep, this task is directly related to the #10 of #community-wishlist-survey-2019: 2FA available for all concerned editors

TheDJ added a comment.Dec 6 2018, 12:49 PM

@Tgr I think in the past we also said that some UI and interface messaging rework was needed to make the steps more understandable, esp around the topic of scratchcodes.

sbassett added a comment.EditedDec 6 2018, 4:01 PM

Trust-and-Safety might have some additional thoughts here, as they currently manage the operational work around OATHAuth. Though the tasks @Tgr mentioned (T166622#4802577) should alleviate most of their concerns, I'd imagine.

Tgr added a comment.Dec 7 2018, 1:48 AM
In T166622#4802614, @Reedy wrote:

Ideally, IMHO, being able to do a device swap without disabling and re-enabling should be in there too (not sure where the task is for that straight off)

I guess that's T172079: Allow OATHAuth users with 2FA already enabled to add / switch devices without disabling? (that title is not super helpful)

In T166622#4803311, @TheDJ wrote:

@Tgr I think in the past we also said that some UI and interface messaging rework was needed to make the steps more understandable, esp around the topic of scratchcodes.

T150868: Expand scratch code instruction with advice to mark which codes you have used I guess?

Reedy added a comment.Dec 7 2018, 6:27 AM
In T166622#4805023, @Tgr wrote:
In T166622#4802614, @Reedy wrote:

Ideally, IMHO, being able to do a device swap without disabling and re-enabling should be in there too (not sure where the task is for that straight off)

I guess that's T172079: Allow OATHAuth users with 2FA already enabled to add / switch devices without disabling? (that title is not super helpful)

I think so, title improved a little bit

Reedy added a comment.Dec 7 2018, 6:38 AM
In T166622#4803222, @Liuxinyu970226 wrote:

@Tgr and @Reedy, yep, this task is directly related to the #10 of #community-wishlist-survey-2019: 2FA available for all concerned editors

Actually implementing that task is easy (removing 10-15 lines from wmf-config)... It's the tasks mentioned above that need fixing first before we will do that

Tgr mentioned this in T150898: Force OATHAuth (2FA) for certain user groups in Wikimedia production.Dec 7 2018, 6:53 PM
Tgr edited subtasks, added: T150601: Add option to generate new set of scratch codes, T131788: Users should be notified when only two scratch tokens are left, T172079: Allow OATHAuth users with 2FA already enabled to add / switch devices without disabling, T150868: Expand scratch code instruction with advice to mark which codes you have used; removed: T150898: Force OATHAuth (2FA) for certain user groups in Wikimedia production.Dec 10 2018, 7:07 AM
Tgr added a subtask: T180896: Allow functionaries to reset second factor on low-risk accounts.
Tgr added a comment.Dec 10 2018, 7:11 AM

This is not really blocked on forcing on anyone 2FA, so rearranged the dependency tree a bit.

Tomybrz added a subscriber: Tomybrz.Dec 27 2018, 3:36 PM

Hi, Please keeping (or try to keep) "Two-factor authentication testers" group for historical use . Thanks

Reedy added a comment.Dec 27 2018, 3:38 PM
In T166622#4844659, @Tomybrz wrote:

Hi, Please keeping (or try to keep) "Two-factor authentication testers" group for historical use . Thanks

Why?

Tomybrz added a comment.EditedDec 28 2018, 11:34 PM
In T166622#4844661, @Reedy wrote:
In T166622#4844659, @Tomybrz wrote:

Hi, Please keeping (or try to keep) "Two-factor authentication testers" group for historical use . Thanks

Why?

Because we are actually "Beta tester" for a long time and i would like to keep a memory in my SUL :) (i'm not a Beta tester anymore since i'm mediawiki admin)

Urbanecm merged a task: T214376: Add "oathauth-enable" to all user group rights by default on all Wikimedia wiki projects.Jan 22 2019, 1:04 PM
Urbanecm added subscribers: Tulsi_Bhagat, Dereckson, Jayprakash12345 and 4 others.
taavi added a subscriber: taavi.Mar 16 2019, 6:43 PM
RhinosF1 added a subscriber: RhinosF1.Apr 3 2019, 10:10 PM
Lofhi added a subscriber: Lofhi.Apr 12 2019, 12:06 PM
Meisam added a subscriber: Meisam.May 6 2019, 11:49 AM
Yyn1312 moved this task from Security/Abuse to Backlog on the Trust-and-Safety board.May 15 2019, 7:35 AM
Aklapper moved this task from Backlog to Security/Abuse on the Trust-and-Safety board.May 16 2019, 11:56 AM
94rain added a subscriber: 94rain.Jun 11 2019, 4:34 AM
Rail added a subscriber: Rail.Aug 7 2019, 8:01 AM
chasemp edited projects, added Security-Team; removed Security-team-backlog.Dec 23 2019, 5:12 PM
chasemp moved this task from Incoming to Back Orders on the Security-Team board.
chasemp added a project: Security.Feb 10 2020, 10:58 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:07 PM
awight awarded a token.Jun 25 2020, 10:55 AM
awight added a subscriber: awight.
awight added a comment.Jun 25 2020, 11:00 AM

It's really a pain to enable 2FA on an account, because of a chicken-and-egg problem: The only users with oathauth-enable rights (allowing them to turn on 2FA) are those with elevated privileges—but you shouldn't have those privileges until 2FA is enabled!

Reedy added a comment.Jun 25 2020, 11:31 AM
In T166622#6256084, @awight wrote:

It's really a pain to enable 2FA on an account, because of a chicken-and-egg problem: The only users with oathauth-enable rights (allowing them to turn on 2FA) are those with elevated privileges—but you shouldn't have those privileges until 2FA is enabled!

There’s an oathauth-testers group for anyone that wants 2FA but isn’t in a priv group

The issues why we haven’t rolled it out widely are still the same

awight added a comment.Jun 25 2020, 2:36 PM
In T166622#6256156, @Reedy wrote:

There’s an oathauth-testers group for anyone that wants 2FA but isn’t in a priv group

Thanks, I'll paste a pointer here in case others find themselves in the same situation:
https://meta.wikimedia.org/wiki/Steward_requests/Global_permissions#Requests_for_2_Factor_Auth_tester_permissions

Evrifaessa added a subscriber: Evrifaessa.Jul 26 2020, 4:05 PM
alaa added a subscriber: alaa.Sep 30 2020, 12:05 PM
Base added a subscriber: Base.Sep 30 2020, 12:13 PM
Meirae added a subscriber: Meirae.Sep 30 2020, 2:52 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:02 PM
Smarti added a subscriber: Smarti.Nov 16 2020, 11:11 PM
Reedy added a project: Goal.Feb 1 2021, 9:29 PM
Reedy mentioned this in T180896: Allow functionaries to reset second factor on low-risk accounts.
SpartacksCompatriot added a subscriber: SpartacksCompatriot.May 16 2021, 3:14 PM
Zabe added a subscriber: Zabe.Oct 31 2021, 1:16 AM
Stang added a subscriber: Stang.Mar 3 2022, 5:48 AM
IAmChaos added a subscriber: IAmChaos.Jul 9 2022, 4:25 AM
TheresNoTime changed the status of subtask T180896: Allow functionaries to reset second factor on low-risk accounts from Stalled to Open.Sep 26 2022, 6:11 PM
PolyversialMind added a subscriber: PolyversialMind.Oct 6 2022, 8:41 PM
Ahm_masum added a subscriber: Ahm_masum.Jan 30 2023, 6:52 PM
Reedy moved this task from Backlog to External on the MediaWiki-extensions-OATHAuth board.Thu, Nov 30, 5:58 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL