Page MenuHomePhabricator

Disable Two-factor authentication for user Barek on
Closed, ResolvedPublic


I am user:Barek, and primarily edit on I am requesting that two-factor authentication be disabled on my account.

Due to a cell phone failure, my Google Authenticator app lost all data. Afterwards, I also learned that my printout of hard-copy backup code had been lost. As a result, I have lost the ability to log into my account on new devices. However, I still have access on my home laptop (at least until such time as I get logged out or my laptop dies). Unfortunately, I also cannot disable two-factor authentication myself as the two-factor code is also required to disable it in my own preferences section.

For evidence that I own this account, please see my post at


  • User has still access to the Wikimedia account and has confirmed the 2FA lost
  • User has access to an account linked to the Wikimedia account (Phabricator) and has confirmed the 2FA lost
  • Checkuser for global account
  • Checkuser for local enwiki account
  • Confirmation received by mail

Trust & Safety notification:

To James, per IRC, 2018-04-07 23:45 UTC, ack'ed 23:50 UTC.

Event Timeline

Xaosflux triaged this task as Medium priority.Apr 7 2018, 8:33 PM
Xaosflux added a project: Trust-and-Safety.
Xaosflux added a subscriber: Xaosflux.

@Barek Thanks for reporting this. Yes, it's possible to reset the second factor as long as there is a proof the request is legitimate.

We need to assert your request is from the same user Barek who contribute to Wikipedia and not from someone stealing the account. That's the goal of the two factor authentication.

For that, we have several possibilities. Let's try one of the simplest and more straightforward:

Do you have a static IP address (or a dynamic address with very long life duration)? If so, do you agree we request to a steward a checkuser to authenticate the message on the village pump is from the same IP used for contributions? That would be an acceptable proof of identity.

@Dereckson My IP is dynamic; but frequently remains stable for months at a time. I fully support the use of a steward request for a checkuser to authenticate my identity. If needed, the email linked to my user account can also be contacted to request agreement of a checkuser.

Thank you for assisting me in this issue.

Thanks for the suggestion and the approval of the CU request.

The global account has a mail address, confirmed before this request. Confirmation mail sent.

Althrough this seems to be legitimate request, I'm pretty sure SuSa should be at least aware if not explicitelly approve. But up to you @Dereckson ;).

Per, they indeed need to be made aware of a security-related account change: "someone from Trust & Safety (for example James Alexander) should be notified of the password reset". By analogy, it's certainly applies to 2FA reset requests.

They can also help for more complicated cases: "It might also be a good idea to pass things to them if there is no sufficient elements to confirm the identity."

So my intent was and is to handle this request as long as there are sufficient elements to confirm the identity,

Dereckson updated the task description. (Show Details)
Dereckson moved this task from Working on to To deploy on the Wikimedia-Site-requests board.

There are clear elements the request is legitimate, so we can proceed.

Mentioned in SAL (#wikimedia-operations) [2018-04-07T23:44:27Z] <Dereckson> OATHAuth disabled for Wikimedia SUL global account Barek (T191708)

@Barek It should now be disabled, could you confirm it works?

@Dereckson Thank you, I can confirm it was disabled. I can now log in again from my phone. I will re-enable 2FA later tonight (and this time lock the hard-copy code into a file cabinet or lock box to be sure it isn't lost).

You're welcome. Thank you for the confirmation. Yes, it's a good idea to lock them good.