Page MenuHomePhabricator
Create Task
Maniphest T197501

Make users without 2FA setup not have checkuser right regardless of their groups
Closed, DeclinedPublic
Actions

Description

It was recently suggested on #wikimedia-commons that users without 2FA enabled should automatically have checkuser (And maybe oversight, and eventually maybe admin) rights disabled, and then automatically enabled once they re-enable 2FA.

We should consider looking into this.

See the (private) task T197500 for a list of users this would affect.

Related Objects
Search...

Event Timeline

Bawolff created this task.Jun 15 2018, 10:44 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 15 2018, 10:44 PM
Bawolff updated the task description. (Show Details)Jun 15 2018, 10:45 PM
Reedy subscribed.Jun 15 2018, 10:57 PM

T150562: Be able to force OATHAuth for certain user groups too

Jdforrester-WMF subscribed.Jun 15 2018, 10:58 PM
Peachey88 subscribed.Jun 15 2018, 10:58 PM
Huji subscribed.EditedJun 15 2018, 11:51 PM

@Bawolff from what I understand, the way CheckUser works right now is it calls checkPermissions which is inherited from SpecialPage. I am thinking we can override this method in which we first call the parent function, and then call a hook (and I need your suggestion for its name, does onCUCheckPermission sound good?) to allow other extensions to control whether the method results in a pass or a fail situation. Finally, we can modify #OATHAuth code to return a pass if the user has 2FA enabled and fail otherwise.

I think the limitation here is what @Reedy mentioned in T150562 i.e. the communication piece will be messy (as in, the user will get a generic permission error, not one that specifically says "you need to enable 2FA"). Unless there is a way to avoid that which I am not able to think of.

1997kB subscribed.Jun 16 2018, 2:21 AM
Bawolff added a comment.Jun 16 2018, 9:53 PM
In T197501#4294400, @Huji wrote:

@Bawolff from what I understand, the way CheckUser works right now is it calls checkPermissions which is inherited from SpecialPage. I am thinking we can override this method in which we first call the parent function, and then call a hook (and I need your suggestion for its name, does onCUCheckPermission sound good?) to allow other extensions to control whether the method results in a pass or a fail situation. Finally, we can modify #OATHAuth code to return a pass if the user has 2FA enabled and fail otherwise.

I think the limitation here is what @Reedy mentioned in T150562 i.e. the communication piece will be messy (as in, the user will get a generic permission error, not one that specifically says "you need to enable 2FA"). Unless there is a way to avoid that which I am not able to think of.

If we do do this bug - I think the 2FA system should hook into mediawikis auth system directly - not try and override how checkuser works. E.g. use the userCan hook or UserGetRights hook or some similar hook.

MarcoAurelio added a project: Stewards-and-global-tools.Jun 17 2018, 11:11 AM
MarcoAurelio subscribed.
alaa subscribed.Jun 18 2018, 4:37 AM
Vvjjkkii renamed this task from Make users without 2FA setup not have checkuser right regardless of their groups to 6saaaaaaaa.Jul 1 2018, 1:03 AM
Vvjjkkii triaged this task as High priority.
Vvjjkkii added projects: Connected-Open-Heritage-Batch-uploads (RAÄ-KMB_1_2017-02), Tamil-Sites, Gamepress, Hashtags, Jade, KartoEditor, Language-2018-Apr-June, New-Editor-Experiences, Mail, TCB-Team (now WMDE-TechWish).
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed subscribers: MarcoAurelio, Huji, Aklapper.
CommunityTechBot renamed this task from 6saaaaaaaa to Make users without 2FA setup not have checkuser right regardless of their groups.Jul 2 2018, 4:54 AM
CommunityTechBot raised the priority of this task from High to Needs Triage.
CommunityTechBot updated the task description. (Show Details)
CommunityTechBot removed projects: TCB-Team (now WMDE-TechWish), Mail, New-Editor-Experiences, Language-2018-Apr-June, KartoEditor, Jade, Hashtags, Gamepress, Tamil-Sites, Connected-Open-Heritage-Batch-uploads (RAÄ-KMB_1_2017-02).
CommunityTechBot added subscribers: MarcoAurelio, Huji, Aklapper.
gerritbot subscribed.Aug 3 2018, 11:10 PM

Change 450292 had a related patch set uploaded (by MR70; owner: MR70):
[mediawiki/extensions/CheckUser@master] Bug: T197501

https://gerrit.wikimedia.org/r/450292

gerritbot added a project: Patch-For-Review.Aug 3 2018, 11:10 PM
gerritbot added a comment.Aug 3 2018, 11:26 PM

Change 450293 had a related patch set uploaded (by MR70; owner: MR70):
[mediawiki/core@master] Bug: T197501

https://gerrit.wikimedia.org/r/450293

Reedy added a subtask: T150562: Be able to force OATHAuth for certain user groups.Aug 3 2018, 11:50 PM
Amorymeltzer subscribed.Aug 4 2018, 12:25 AM
Bawolff mentioned this in T201784: Implement option "require two-factor authentication only for dangerous actions".Aug 12 2018, 5:52 PM
RP88 subscribed.Aug 20 2018, 5:04 PM
gerritbot added a comment.Sep 1 2018, 9:57 PM

Change 450293 abandoned by MR70:
Bug: T197501

https://gerrit.wikimedia.org/r/450293

MR70 removed a project: Patch-For-Review.Sep 3 2018, 5:25 PM
MR70 subscribed.Oct 5 2018, 2:42 AM
This comment was removed by MR70.
MR70 merged a task: T199118: Degrade/temporarily remove user rights/groups if 2FA isn't enabled.Oct 6 2018, 11:01 PM
MR70 added subscribers: stwalkerster, Nemo_bis, He7d3r.
MR70 closed this task as a duplicate of T199118: Degrade/temporarily remove user rights/groups if 2FA isn't enabled.Oct 6 2018, 11:03 PM
Reedy reopened this task as Open.Oct 6 2018, 11:06 PM
Reedy mentioned this in T199118: Degrade/temporarily remove user rights/groups if 2FA isn't enabled.
AGK subscribed.Oct 23 2018, 7:44 AM
Bawolff added a comment.Dec 5 2018, 10:31 PM

It was pointed out to me that this might not be the best idea, because if an attacker compromises an account that has temporarily removed 2FA, the attacker can just enroll into 2FA to get back access.

Meno25 subscribed.Dec 9 2018, 3:45 AM
Tgr added a parent task: T150898: Force OATHAuth (2FA) for certain user groups in Wikimedia production and Beta wikis.Dec 10 2018, 7:17 AM
1997kB unsubscribed.Jan 25 2019, 3:09 PM
Amorymeltzer mentioned this in T150898: Force OATHAuth (2FA) for certain user groups in Wikimedia production and Beta wikis.Jan 13 2020, 1:04 AM
Trijnstel subscribed.Aug 29 2020, 10:46 AM
DannyS712 subscribed.Sep 14 2020, 3:57 AM
Zabe subscribed.May 16 2021, 10:02 AM
FriedrickMILBarbarossa awarded a token.May 17 2021, 4:11 AM
FriedrickMILBarbarossa subscribed.
Legoktm closed subtask T150562: Be able to force OATHAuth for certain user groups as Resolved.Feb 18 2022, 7:17 AM
Stang subscribed.Mar 3 2022, 5:50 AM
Zabe added a comment.Feb 5 2023, 3:33 PM

Unlike interface-admin, there is currently no policy that requires checkuser to have 2FA enabled. Such a policy should be implemented before we enforce it.

Xaosflux subscribed.Oct 4 2023, 8:27 PM
Reedy moved this task from Backlog to User Experience on the MediaWiki-extensions-OATHAuth board.Dec 6 2023, 12:56 PM
Reedy moved this task from User Experience to External on the MediaWiki-extensions-OATHAuth board.Dec 26 2023, 11:40 PM
Johannnes89 subscribed.May 25 2024, 11:48 AM
Tgr reopened subtask T150562: Be able to force OATHAuth for certain user groups as Open.Mar 29 2025, 3:32 PM
Restricted Application added a project: Trust and Safety Product Team. · View Herald TranscriptMar 29 2025, 3:32 PM
jeremyb subscribed.May 4 2025, 11:18 AM
Johannnes89 added a comment.May 6 2025, 5:20 PM

https://meta.wikimedia.org/wiki/Mandatory_two-factor_authentication_for_users_with_some_extended_rights

Dreamy_Jazz edited projects, added: Product Safety and Integrity; removed: Trust and Safety Product Team.Feb 24 2026, 3:39 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptFeb 24 2026, 3:39 PM
matmarex moved this task from Inbox, needs triage to Radar on the MediaWiki-Platform-Team board.Mar 2 2026, 3:58 PM
matmarex edited projects, added: MediaWiki-Platform-Team (Radar); removed: MediaWiki-Platform-Team.
mszwarc closed subtask T150562: Be able to force OATHAuth for certain user groups as Resolved.Mar 27 2026, 9:00 AM
mszwarc closed this task as Declined.Apr 13 2026, 12:33 PM
mszwarc subscribed.
In T197501#4801894, @Bawolff wrote:

It was pointed out to me that this might not be the best idea, because if an attacker compromises an account that has temporarily removed 2FA, the attacker can just enroll into 2FA to get back access.

Product Safety and Integrity takes an approach to roll out 2FA enforcement based on the user's groups and closely tied to the actual membership in these groups (for CUs it was done in T418580). One of the reasons is the issue quoted above. For that reason, we won't implement rights-based 2FA enforcement.

As of now, it's the site administrator's responsibility to have a groups/rights/enforcement combination that makes sense (i.e. no checkuser-capable groups with no enforcement). A safeguard similar to only interface admins having code-editing rights may be helpful, but that's out of scope of this request.

Stang unsubscribed.Apr 16 2026, 8:33 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits