Page MenuHomePhabricator
Create Task
Maniphest T197153

Make some providers optional for reauthentication
Open, MediumPublic
Actions

Description

We require reauthentication for security-sensitive operations; that gets annoying if we use it for a lot of things, and extra annoying for people who have more secure logins (e.g. long random passwords they need to look up in a password manager, or two-factor authentication). We should make it possible for providers to act differently during reauthentication (some ideas here) and make reauthentication shorter:

  • no need for login captcha (where enabled)
  • maybe no need for second factor?
  • or maybe when there is a second factor no need for the password?

See also:

Details

SubjectRepoBranchLines +/-
AuthManager: Modify security level handlingmediawiki/coremaster+867 -61
Customize query in gerrit

Related Objects
Search...

Event Timeline

Tgr created this task.Jun 13 2018, 5:09 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 13 2018, 5:09 PM
Tgr mentioned this in T197160: All security-sensitive MediaWiki functionality should require elevated security.Jun 13 2018, 5:22 PM
Tgr added a parent task: T197160: All security-sensitive MediaWiki functionality should require elevated security.Jun 13 2018, 5:24 PM
Rxy subscribed.Jun 13 2018, 7:58 PM
Vvjjkkii renamed this task from Make some providers optional for reauthentication to u2aaaaaaaa.Jul 1 2018, 1:04 AM
Vvjjkkii triaged this task as High priority.
Vvjjkkii added projects: CheckUser, Connected-Open-Heritage-Batch-uploads (RAÄ-KMB_1_2017-02), Tamil-Sites, Gamepress, Hashtags, Jade, KartoEditor, Language-2018-Apr-June, New-Editor-Experiences, Mail, TCB-Team (now WMDE-TechWish).
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed a subscriber: Aklapper.
Ankry renamed this task from u2aaaaaaaa to Make some providers optional for reauthentication.Jul 1 2018, 4:22 PM
Ankry raised the priority of this task from High to Needs Triage.
Ankry removed projects: TCB-Team (now WMDE-TechWish), Mail, New-Editor-Experiences, Language-2018-Apr-June, KartoEditor, Jade, Hashtags, Gamepress, Tamil-Sites, Connected-Open-Heritage-Batch-uploads (RAÄ-KMB_1_2017-02), CheckUser.
Ankry updated the task description. (Show Details)
Ankry added a subscriber: Aklapper.
Tgr mentioned this in T201784: Implement option "require two-factor authentication only for dangerous actions".Aug 13 2018, 6:01 AM
He7d3r subscribed.Aug 13 2018, 11:38 AM
Phabricator_maintenance added a project: acl*security.Sep 20 2018, 9:15 AM
Tgr updated the task description. (Show Details)Sep 23 2018, 11:56 PM
Tgr mentioned this in T203325: BotPasswords right selection form shows plain-text html.
Tgr mentioned this in T208667: Tie reauthentication (login with elevated security) to a specific security level.Nov 4 2018, 4:45 AM
Tgr added a subtask: T208668: Do not ask for password on reauthentication when 2FA is enabled.Nov 4 2018, 6:04 AM
gerritbot subscribed.Nov 5 2018, 12:09 AM

Change 471664 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[mediawiki/core@master] [WIP] AuthManager: Modify security level handling

https://gerrit.wikimedia.org/r/471664

gerritbot added a project: Patch-For-Review.Nov 5 2018, 12:09 AM
Tgr added a subtask: T168557: "Keep me logged in" check box shouldn't be shown when a logged-in user is being verified.Nov 6 2018, 12:27 AM
AfroThundr3007730 subscribed.Nov 26 2018, 12:52 AM
Tgr added a project: User-Tgr.Dec 8 2018, 4:54 AM
Tgr moved this task from Backlog to Next on the User-Tgr board.Feb 23 2019, 7:19 AM
Tgr mentioned this in T222849: OATHAuth disable 2fa doesn't properly check getLoginSecurityLevel().May 10 2019, 6:26 AM
Aklapper removed a project: Security-Core.Nov 27 2019, 12:42 PM
chasemp triaged this task as Medium priority.Dec 9 2019, 4:55 PM
chasemp added a project: Security.Feb 10 2020, 10:58 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:07 PM
Pppery edited projects, added Patch-Needs-Improvement; removed Patch-For-Review.Mar 27 2023, 2:13 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL