Page MenuHomePhabricator

Implement option "require two-factor authentication only for dangerous actions"
Open, Needs TriagePublic

Description

TLDR: Implement option that if enabled would require two factor authentication only for some MW actions, like change of password, user preferences, or sysop actions.

Explanation, justification:

Right now there are only two options:

  • Don't use two-factor authentication (insecure)
  • Use two factor authentication (annoying as hell)

Option I would like to see implemented:

  • Require two factor authentication only when performing restricted action (privileged / sysop action, access user preferences etc.) - not require two factor auth for simple wiki editing, talk page editing etc.

With two factor authentication it doesn't seem to be possible to make session persistent and it really is extremely annoying to look for your mobile phone, open the app and fill in the code everytime you want to do some simple wiki action. I am very lazy and even found myself to rather decide not to do a minor change (be it fix of typo correction etc. in article on English Wikipedia etc) rather than going through the hassle of using the google authenticator.

I think it would be really cool to have an option (or maybe even more of them?) that would help to specify when two factor auth is really desired, so that for example users could decide that for simple actions like wiki editing normal login would be sufficient, but for changes like:

  • Change of password
  • Change of (some) preferences
  • Admin actions (block, delete etc.)

two-factor authentication would be enforced.

An idea how this could look on user interface (in preferences dialog):

Instead of

Two-factor authentication: enable / disable

There could be radio buttons:

  • Disable
  • Enable, require 2FA token only when performing changes to you preferences or actions that require elevated privileges
  • Enable, require 2FA token for every login

Event Timeline

Petrb created this task.Aug 12 2018, 4:40 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 12 2018, 4:40 PM
Stryn added a subscriber: Stryn.Aug 12 2018, 5:00 PM
Bawolff added a subscriber: Bawolff.

This is sort of similar to (but definitely not the same) as T199118 / T197501. Perhaps doing that bug would be a prerequisite to this one (as it would make it easier to implement this one)

With two factor authentication it doesn't seem to be possible to make session persistent

I'm not sure I understand what you mean. 2FA will last with your current session. You can't make it last independent of your current session, but if you check "remember me" it will last as long as your login status lasts (I think that's 180 days).

Anomie added a subscriber: Anomie.Aug 12 2018, 5:55 PM

Most people will have to use 2-factor auth very rarely:

  • When logging in, once every 365 days because they check the "Keep me logged in" checkbox.
  • When changing their password or other authentication data.
  • When managing BotPasswords.
  • When changing their email address.
  • (not on Wikimedia sites: if something like GoogleLogin is enabled then linking or unlinking an account for that)

I don't know how you could be running in to this for making edits or other "simple wiki action[s]", unless you log yourself out constantly or never use the "Keep me logged in" checkbox.

Its important to keep in mind here that threat models differ for different users. For some accounts, its the reputation that matters (e.g. in a Role account it probably matters what the person is saying not what they are doing). For others having a method of logging in without 2FA where the account become non-admin is probably sufficient. If we do this bug, its important to keep in mind differing requirements, ensuring that we cater to both groups and create a UI that ensures people select the right security guarantees for their needs.

Hi. Here are my two cents. I'm an interface admin. I never mark on mobile "keep me logged in" because of security - if somebody will "take" my mobile I do not want the account to be used. If 2FA will be forced on interface admins, I'll need to mark it, to avoid 2FA every day. So it will decrement the security, not increment.

This is sort of similar to (but definitely not the same) as T199118 / T197501. Perhaps doing that bug would be a prerequisite to this one (as it would make it easier to implement this one)

Probably. Off the top of my head, to do this you'd need a few pieces:

  • OATHAuth to be able to effectively remove certain userrights in certain situations. This code could be largely shared with those tasks, and might use the 'UserGetRights' hook.
  • OATHAuth's TOTPSecondaryAuthenticationProvider to allow skipping entering the second factor, triggering the above to remove the appropriate userrights.
  • Optionally, anything that fails due to missing userrights to test if a re-login without bypassing TOTPSecondaryAuthenticationProvider would help and changing the error message appropriately. But, of course, in a generic manner rather than specific to OATHAuth.
Petrb added a comment.EditedAug 12 2018, 6:31 PM

Now this is interesting. I use my account on multiple various devices (more than 10 separate devices including virtual machines and my phone, tablet etc), I always check remember me everywhere I can, although I can't do that with bot logins.

My sessions never last more than 1 day on all of mentioned devices. Every next day I start using WP on any device, I am logged out. I was thinking that's intended since I started experiencing this only ever since I configured 2FA.

It's definitely interesting to see this is more likely a bug than a feature, but I still believe that requiring 2FA confirmation everytime you want to change your password (I believe that might actually already be a case), or change your preferences, or eventually, making your "admin sessions" (yes I know that's not a thing yet) temporary, meaning that even if MW remembered you, some actions like

  • block user
  • delete
  • checkuser
  • edit MW global space, CSS / JS etc

should require you to enter 2FA token unless you didn't recently provide it. I think this would increase the security in case that someone got an access to unattended computer of some sysop, who wasn't doing anything on wiki recently, but did check "remember me" in past.

But yeah, if this "remember me" option really is supposed to work even with 2FA, maybe this task could be low priority.

Petrb updated the task description. (Show Details)Aug 12 2018, 6:37 PM
He7d3r added a subscriber: He7d3r.Aug 13 2018, 11:38 AM

It's definitely interesting to see this is more likely a bug than a feature, but I still believe that requiring 2FA confirmation everytime you want to change your password (I believe that might actually already be a case), or change your preferences, or eventually, making your "admin sessions" (yes I know that's not a thing yet) temporary, meaning that even if MW remembered you, some actions like

  • block user
  • delete
  • checkuser
  • edit MW global space, CSS / JS etc

should require you to enter 2FA token unless you didn't recently provide it. I think this would increase the security in case that someone got an access to unattended computer of some sysop, who wasn't doing anything on wiki recently, but did check "remember me" in past.

Are you sure this is a good thing to do? When patrolling during school education time, I need to block users quickly to stop them from vandalizing, sometimes several IPs on the same time. I do not want system to ask me for token when blocking (and even when blocking firstly). The same with delete.

Instead, let's educate admins to not use "Remember me" on computers they do not own. I don't need to enter 2FA frequently.

But yeah, if this "remember me" option really is supposed to work even with 2FA, maybe this task could be low priority.

It is and it works. What comes to my mind: Log out do log out you everywhere, not just on this device (including devices you used remember me option).

Petrb added a comment.Aug 13 2018, 4:40 PM

It's definitely interesting to see this is more likely a bug than a feature, but I still believe that requiring 2FA confirmation everytime you want to change your password (I believe that might actually already be a case), or change your preferences, or eventually, making your "admin sessions" (yes I know that's not a thing yet) temporary, meaning that even if MW remembered you, some actions like

  • block user
  • delete
  • checkuser
  • edit MW global space, CSS / JS etc

should require you to enter 2FA token unless you didn't recently provide it. I think this would increase the security in case that someone got an access to unattended computer of some sysop, who wasn't doing anything on wiki recently, but did check "remember me" in past.

Are you sure this is a good thing to do? When patrolling during school education time, I need to block users quickly to stop them from vandalizing, sometimes several IPs on the same time. I do not want system to ask me for token when blocking (and even when blocking firstly). The same with delete.
Instead, let's educate admins to not use "Remember me" on computers they do not own. I don't need to enter 2FA frequently.

But yeah, if this "remember me" option really is supposed to work even with 2FA, maybe this task could be low priority.

It is and it works. What comes to my mind: Log out do log out you everywhere, not just on this device (including devices you used remember me option).

I think you didn't read or didn't understand my whole proposal. First of all, this is meant to be an optional feature, so if you don't like it, you don't have to use it. Then, I already said that this would require a 2FA token only if you didn't recently provide it. So if you want to block multiple users and you aren't going to spend 2 days filling up the block form, it wouldn't ask you for a token.

@Petrb I read your proposal and I consider it useless, because what I wrote. I don't think it is a good thing to do. Yes, I understand it is optional, but it will still require some $$$ to invest :). I think it is better to not log in permanently when you do not own the computer than logging in permanently and think something like "well, the software will require 2FA before anything dangerous".

Especially when talking about accounts having advanced privileges, I think even being able to edit is dangerous privilege, because there is always some difference between admin's opinion, logged in user's opinion and IP's opinion.

T153454: Enable BotPasswords (or similar feature) for web/interactive access can be useful thing.

Petrb added a comment.Aug 15 2018, 4:13 PM

@Petrb I read your proposal and I consider it useless, because what I wrote. I don't think it is a good thing to do. Yes, I understand it is optional, but it will still require some $$$ to invest :). I think it is better to not log in permanently when you do not own the computer than logging in permanently and think something like "well, the software will require 2FA before anything dangerous".
Especially when talking about accounts having advanced privileges, I think even being able to edit is dangerous privilege, because there is always some difference between admin's opinion, logged in user's opinion and IP's opinion.
T153454: Enable BotPasswords (or similar feature) for web/interactive access can be useful thing.

It will require $0 if done by a volunteer and just because it's useless in your, imho limited, use case doesn't mean it's useless for all other users. I stated multiple examples, with very different use-cases than yours where this would be very useful.

RP88 added a subscriber: RP88.Aug 20 2018, 5:05 PM
Samtar added a subscriber: Samtar.Oct 20 2018, 7:26 PM
4nn1l2 added a subscriber: 4nn1l2.Jan 17 2019, 4:02 PM
Petrb updated the task description. (Show Details)Apr 9 2019, 3:53 PM