Page MenuHomePhabricator
Create Task
Maniphest T191708

Disable Two-factor authentication for user Barek on en.wiki
Closed, ResolvedPublic
Actions

Description

I am user:Barek, and primarily edit on en.wiki. I am requesting that two-factor authentication be disabled on my account.

Due to a cell phone failure, my Google Authenticator app lost all data. Afterwards, I also learned that my printout of hard-copy backup code had been lost. As a result, I have lost the ability to log into my account on new devices. However, I still have access on my home laptop (at least until such time as I get logged out or my laptop dies). Unfortunately, I also cannot disable two-factor authentication myself as the two-factor code is also required to disable it in my own preferences section.

For evidence that I own this account, please see my post at https://en.wikipedia.org/wiki/Wikipedia:Village_pump_(technical)#Question_re:_Two_Factor_Authentication

Checks:

  • User has still access to the Wikimedia account and has confirmed the 2FA lost
  • User has access to an account linked to the Wikimedia account (Phabricator) and has confirmed the 2FA lost
  • Checkuser for global account
  • Checkuser for local enwiki account
  • Confirmation received by mail

Trust & Safety notification:

To James, per IRC, 2018-04-07 23:45 UTC, ack'ed 23:50 UTC.

Event Timeline

Barek created this task.Apr 7 2018, 8:22 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 7 2018, 8:22 PM
Xaosflux triaged this task as Medium priority.Apr 7 2018, 8:33 PM
Xaosflux added a project: Trust-and-Safety.
Xaosflux subscribed.
Dereckson subscribed.EditedApr 7 2018, 9:43 PM

@Barek Thanks for reporting this. Yes, it's possible to reset the second factor as long as there is a proof the request is legitimate.

We need to assert your request is from the same user Barek who contribute to Wikipedia and not from someone stealing the account. That's the goal of the two factor authentication.

For that, we have several possibilities. Let's try one of the simplest and more straightforward:

Do you have a static IP address (or a dynamic address with very long life duration)? If so, do you agree we request to a steward a checkuser to authenticate the message on the village pump is from the same IP used for contributions? That would be an acceptable proof of identity.

Dereckson moved this task from Backlog to Working on on the Wikimedia-Site-requests board.Apr 7 2018, 9:49 PM
Barek added a comment.Apr 7 2018, 10:02 PM

@Dereckson My IP is dynamic; but frequently remains stable for months at a time. I fully support the use of a steward request for a checkuser to authenticate my identity. If needed, the email linked to my user account can also be contacted to request agreement of a checkuser.

Thank you for assisting me in this issue.

Dereckson added a comment.Apr 7 2018, 10:08 PM

Thanks for the suggestion and the approval of the CU request.

Dereckson updated the task description. (Show Details)Apr 7 2018, 10:20 PM
Dereckson added a comment.Apr 7 2018, 10:29 PM

The global account has a mail address, confirmed before this request. Confirmation mail sent.

Dereckson updated the task description. (Show Details)Apr 7 2018, 10:48 PM
Urbanecm subscribed.Apr 7 2018, 10:53 PM

Althrough this seems to be legitimate request, I'm pretty sure SuSa should be at least aware if not explicitelly approve. But up to you @Dereckson ;).

Dereckson added a comment.EditedApr 7 2018, 10:57 PM

Per https://wikitech.wikimedia.org/wiki/Password_reset, they indeed need to be made aware of a security-related account change: "someone from Trust & Safety (for example James Alexander) should be notified of the password reset". By analogy, it's certainly applies to 2FA reset requests.

They can also help for more complicated cases: "It might also be a good idea to pass things to them if there is no sufficient elements to confirm the identity."

So my intent was and is to handle this request as long as there are sufficient elements to confirm the identity,

Dereckson updated the task description. (Show Details)Apr 7 2018, 11:21 PM
Dereckson claimed this task.Apr 7 2018, 11:39 PM
Dereckson updated the task description. (Show Details)
Dereckson moved this task from Working on to To deploy on the Wikimedia-Site-requests board.

There are clear elements the request is legitimate, so we can proceed.

Stashbot subscribed.Apr 7 2018, 11:44 PM

Mentioned in SAL (#wikimedia-operations) [2018-04-07T23:44:27Z] <Dereckson> OATHAuth disabled for Wikimedia SUL global account Barek (T191708)

Dereckson added a comment.Apr 7 2018, 11:56 PM

@Barek It should now be disabled, could you confirm it works?

Barek added a comment.Apr 8 2018, 12:02 AM

@Dereckson Thank you, I can confirm it was disabled. I can now log in again from my phone. I will re-enable 2FA later tonight (and this time lock the hard-copy code into a file cabinet or lock box to be sure it isn't lost).

Dereckson closed this task as Resolved.Apr 8 2018, 12:08 AM

You're welcome. Thank you for the confirmation. Yes, it's a good idea to lock them good.

Dereckson updated the task description. (Show Details)Apr 8 2018, 12:09 AM
EddieGP updated the task description. (Show Details)Apr 8 2018, 12:40 PM
Peachey88 moved this task from Backlog to 2FA (requests) on the Trust-and-Safety board.Oct 20 2019, 10:21 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL