Page MenuHomePhabricator

Degrade/temporarily remove user rights/groups if 2FA isn't enabled
Open, HighPublic

Description

Related to T150562: Be able to force OATHAuth for certain user groups, it'd be useful if we could have a partial degradation of rights if the user doesn't have 2FA enabled (probably more temporarily) rather than completely preventing access. This would make it possible to lose user groups such as checkuser for that period, but still be able to login, edit etc. Then when 2FA was re-enabled, these privileged groups would be accessible again

Event Timeline

Reedy created this task.Jul 9 2018, 3:08 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 9 2018, 3:08 PM
He7d3r added a subscriber: He7d3r.Aug 13 2018, 11:38 AM

Change 452020 had a related patch set uploaded (by MR70; owner: MR70):
[mediawiki/extensions/OATHAuth@master] Certain rights should be temporarily removed if 2fa isn't enabled for a user This rights should be set in $wgOATHSensitiveRights.

https://gerrit.wikimedia.org/r/452020

MR70 triaged this task as High priority.
MR70 claimed this task.
Reedy added a comment.Oct 6 2018, 11:06 PM

Why are you merging the tasks? They're different.

This is for the functionality. T197501 is for an implementation/usage of it

MR70 added a comment.EditedOct 6 2018, 11:09 PM

@Reedy Sorry. I thought this task for both that's why i merged the other task into this.

Rather than remove their rights, just make them unable to use them until they re-enable 2FA. There might be cases where you have to turn off 2FA temporarily (ie: phone change, etc.). For those who are promoted to privileged groups but don't have 2FA enabled, equally make them unable to use said privs regardless their on-wiki permissions until they enable 2FA. Thanks.

Certainly just make them not available don't REMOVE them! For example what if you log in less access on purpose such as BotPasswords or an OAUTH grant just to use the API.

Reedy added a comment.Dec 1 2018, 1:25 PM

That’s what degrade/temp remove means. Make MW do it on the fly, not actually removing the membership

Nirmos added a subscriber: Nirmos.Dec 7 2018, 12:07 PM
Meno25 added a subscriber: Meno25.Dec 9 2018, 3:55 AM

Not in favour of this change, considering the potential issues with 2FA (5 scratch codes that're displayed one-time? That's too little).

Reedy added a comment.Dec 9 2018, 5:16 PM

Not in favour of this change, considering the potential issues with 2FA (5 scratch codes that're displayed one-time? That's too little).

Displaying it once is too little? Or five?

Why are you not in favour in it? What would rather happen, they cannot access their account until they do enable 2FA?

Leaderboard added a comment.EditedDec 11 2018, 11:05 PM

Not in favour of this change, considering the potential issues with 2FA (5 scratch codes that're displayed one-time? That's too little).

Displaying it once is too little? Or five?

Why are you not in favour in it? What would rather happen, they cannot access their account until they do enable 2FA?

The fact that there are only five scratch codes itself is the issue, considering that an action could require at least two scratch codes.

By one-time I meant that the user has no way of seeing which scratch codes are used and which he can still use, and that the five scratch codes are displayed only once.

Other 2FA providers do more (Google for example provides 10).

Other 2FA providers do more (Google for example provides 10).

Perhaps this could be raised in a different task, if not requested already.

Indeed. This is out of the scope for this task, but could be considered necessary/a dependency for doing it

1997kB removed a subscriber: 1997kB.Jan 25 2019, 3:12 PM
Aklapper removed MR70 as the assignee of this task.Feb 25 2019, 8:26 AM

Change 452020 abandoned by WMFOffice:
Temporarily disable certain rights if 2FA isn't enabled for the user

Reason:
abandoning patch sets of globally banned user

https://gerrit.wikimedia.org/r/452020