Page MenuHomePhabricator
Create Task
Maniphest T194077

2FA should clarify O and 0s in recovery codes
Open, Needs TriagePublic
Actions

Description

Pretty much says it in the title. It's difficult to tell O from 0 in the typeface being used.

Related Objects
Search...

Event Timeline

EdErhart-WMF created this task.May 7 2018, 7:27 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 7 2018, 7:27 PM
Framawiki subscribed.May 7 2018, 7:53 PM
Legoktm subscribed.May 9 2018, 1:26 AM

What operating system/browser are you using? It depends on which font your browser ends up picking...on Fedora 28/Firefox, the monospace font is DejaVu Sans Mono, which does visually differentiate between 0 and O, as you can see in the screenshot. In Firefox if you right click on the text, pick show inspector from the menu, and then switch the tab to fonts, it'll tell you which font your browser picked.

Screenshot from 2018-05-08 18-23-22.png (389×423 px, 19 KB)

EdErhart-WMF added a comment.May 9 2018, 5:01 PM

@Legoktm Chrome! Using "inspect" says that the font family is monospace.

Vvjjkkii renamed this task from 2FA should clarify O and 0s in scratch codes to agdaaaaaaa.Jul 1 2018, 1:12 AM
Vvjjkkii triaged this task as High priority.
Vvjjkkii added projects: CheckUser, Connected-Open-Heritage-Batch-uploads (RAÄ-KMB_1_2017-02), Tamil-Sites, Gamepress, Hashtags, Jade, KartoEditor, Language-2018-Apr-June, New-Editor-Experiences, Mail, TCB-Team (now WMDE-TechWish).
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed a subscriber: Aklapper.
CommunityTechBot renamed this task from agdaaaaaaa to 2FA should clarify O and 0s in scratch codes.Jul 1 2018, 3:56 PM
CommunityTechBot raised the priority of this task from High to Needs Triage.
CommunityTechBot updated the task description. (Show Details)
CommunityTechBot removed projects: TCB-Team (now WMDE-TechWish), Mail, New-Editor-Experiences, Language-2018-Apr-June, KartoEditor, Jade, Hashtags, Gamepress, Tamil-Sites, Connected-Open-Heritage-Batch-uploads (RAÄ-KMB_1_2017-02), CheckUser.
CommunityTechBot added a subscriber: Aklapper.
Tgr subscribed.Dec 6 2018, 8:43 AM

We could just generate codes which do not have easy to mistake characters. o (small letter) / O (large letter) / 0 (number) and 1 (number) / l (small L) / I (large i) are typically the things to avoid.

Reedy moved this task from Backlog to User Experience on the MediaWiki-extensions-OATHAuth board.Jul 5 2019, 9:58 PM
Reedy merged a task: T258798: 2FA 0 (zero) and O.Jul 24 2020, 2:35 PM
Reedy added a subscriber: Path_slopu1234.
Bugreporter merged a task: T258798: 2FA 0 (zero) and O.Jul 24 2020, 2:36 PM
Evrifaessa subscribed.Jul 26 2020, 2:11 PM
Logicer subscribed.Jul 5 2022, 5:53 AM
Reedy added a project: Accessibility.Aug 30 2023, 1:55 PM
Reedy added a parent task: T352856: Recovery code improvements.Dec 6 2023, 12:44 PM
Reedy renamed this task from 2FA should clarify O and 0s in scratch codes to 2FA should clarify O and 0s in recovery codes.Jan 1 2024, 8:54 PM
Tgr added a comment.Aug 1 2025, 3:59 PM

Base56 and base58 are some common ways to generate characters which are hard to mistake for each other. We could use the uppercase-only version of one of those.

Mstyles added a project: FY2025-26 WE 4.6 - Account Security (WE 4.6.4 - 2FA improvements and passkey support).Oct 2 2025, 6:17 PM
Mstyles moved this task from Inbox to Feature enhancements on the FY2025-26 WE 4.6 - Account Security (WE 4.6.4 - 2FA improvements and passkey support) board.Oct 2 2025, 6:19 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits